This Android app with over 50,000 installs steals your files and microphone recordings — what to do

A picture depicting how banking trojans steal credit card data
(Image credit: Shutterstock)

An Android app downloaded onto more than 50,000 devices has been found to be harboring data-stealing malware.

Security researchers at ESET discovered that the iRecorder – Screen Recorder app available on Google Play had malicious functionality that let it extract data from a user’s Android device. This data could include microphone recordings and files with specific extensions. 

That latter part is noteworthy — according to ESET’s WE Live Security blog, that could be an indication that the trojanized app was being used as part of an espionage campaign. 

When the app was first uploaded on the Play Store in September 2021, it didn’t appear to have any malware or trojans lurking beneath its digital skin; this is likely why it managed to bypass Google’s app store security measure. But ESET said it appeared to become trojanized via an update a few months later, and from there the app was able to carry out its malicious behavior using the AhMyth-based malware that ESET named AhRat. 

“It appears that malicious functionality was later implemented, most likely in version 1.3.8, which was made available in August 2022,” wrote ESET malware analyst Lukas Stefanko. 

While tens of thousands of Android devices have been infected by AhRat, it's not been detected by ESET anywhere else. So you can breathe a sigh of relief that this isn't likely to be massively widespread malware. 

Avoid the iRecorder – Screen Recorder app  

The iRecorder – Screen Recorder app has been pulled from the Play Store by Google so isn’t set to cause any more problems on that platform now. 

But the app could still be available on unofficial Android app stores and markets. If you happen to frequent such places, you’ll want to avoid the iRecorder – Screen Recorder app. 

If you’ve been using the app, we suggest you immediately remove it from your phone. (Here's a refresher on how to delete apps on Android.) As for any exfiltrated data, we’re afraid that there’s not much that can be done now as that data has likely been extracted to a remote server. For a bit of security hygiene, it might be best to reset your passwords and double-check app permissions. 

And do make sure to have one of the best Android antivirus apps on your Android devices to help keep malware at bay. 

More from Tom's Guide

Roland Moore-Colyer

Roland Moore-Colyer a Managing Editor at Tom’s Guide with a focus on news, features and opinion articles. He often writes about gaming, phones, laptops and other bits of hardware; he’s also got an interest in cars. When not at his desk Roland can be found wandering around London, often with a look of curiosity on his face.