Keeping malware off of people's phones has always been a tricky task. It feels like every time we see new security measures come along, it's just a matter of time before malware starts bypassing them. While the Play Store is always working to weed out malicious software, Google's efforts weren't able to stop one screen recorder app from spying on its users after receiving a malware-transforming update almost a year after its initial release.

The app in question, iRecorder Screen Recorder, first appeared on the Play Store in 2021, and offered users the ability to capture content on their screens. Just over a year later, the app received an update, which an ESET investigation reveals introduced malware that would secretly record audio and forward it to a remote server (via Ars Technica). The spying tool used code from AhMyth, a common open-source remote access Trojan (RAT) that had previously been used in other apps similarly secreted onto the Play Store under Google's nose.

Earlier versions of the app didn't include any form of malware, and the update that introduced it to the screen recorder would have likely gone unnoticed through the update. Maybe the biggest trick it pulls is that the permissions the malware needs to do its nasty business overlap with the permissions the app would have already been granted in order to perform its screen recording functionality.

The analysis here serves as a prime example of how a seemingly normal app can stealthily become malware after an update. The researchers theorize that this tactic could have been to build up a user base before prior to issuing the malware, but it notes that it has no evidence to prove anything like that.

With Android 14 on the horizon, Google is trying new ways to prevent malware from seeping onto users' phones. The early betas include new protection against apps trying to read people's screens without consent. While that wouldn't necessarily stop malware like this, it's still an important indication that Google is taking app security seriously.