This trojanised Android app that was available on Google Play store had over 50,000 installs. It extracted microphone recordings and stole files with specific extensions from the users.
Dubbed iRecorder-Screen Recorder, the app was initially uploaded to the store without malicious functionality back in 2021.
“However, it appears that malicious functionality was later implemented, most likely in version 1.3.8, which was made available in August 2022,” according to ESET researchers.
Apart from allowing users to perform screen recording of their device, the malicious iRecorder was modified to be capable of recording ambient audio from microphone and uploading it to the attacker’s command and control (C&C) server.
It can also exfiltrate files with extensions representing saved web pages, images, audio, video, and document files, and file formats used for compressing multiple files, from the device.
The application’s malicious behavior indicates that it might be involved in an espionage campaign, the researchers noted.
The app was removed from Google Play Store after the researchers alerted the tech giant to its malicious nature.
“It is rare for a developer to upload a legitimate app, wait almost a year, and then update it with malicious code. The malicious code that was added to the clean version of iRecorder is based on the open-source AhMyth Android RAT (remote access trojan) and has been customized into what we named AhRat,” the team explained.
This is not the first time that AhMyth-based Android malware has been available on Google Play. The ESET researchers previously published research on one such trojanized app in 2019.
Back then, the spyware circumvented Google’s app-vetting process twice, as a malicious app providing radio streaming.
iRecorder-Screen Recorder is a disquieting example of how an initially legitimate application can transform into a malicious one, even after many months, spying on its users and compromising their privacy.
“While it is possible that the app developer had intended to build up a user base before compromising their Android devices through an update or that a malicious actor introduced this change in the app; so far, we have no evidence for either of these hypotheses,” noted the ESET team.