A malicious Android app with more than 50,000 downloads on the Google Play Store has been discovered. The trojanized Android app named iRecorder – Screen Recorder, was initially uploaded to the Google Play Store without malicious functionality on September 19, 2021. However, it appears that malicious functionality was later implemented, most likely in version 1.3.8 of the app, which was made available in August 2022, according to Essential Security against Evolving Threats or ESET researchers.


The Android app's specific malicious behaviour involves extracting microphone recordings and stealing files with specific extensions, potentially indicates that it is involved in an espionage campaign. However, the researchers were not able to attribute the app to any particular malicious group.


According to malware researcher Lukas Stefanco, apart from providing legitimate screen recording functionality, the malicious iRecorder app can record surrounding audio from the device’s microphone and upload it to the attacker’s command and control (C&C) server. It can also exfiltrate files with extensions representing saved web pages, images, audio, video, and document files, and file formats used for compressing multiple files, from the device.


"It is rare for a developer to upload a legitimate app, wait almost a year, and then update it with malicious code. The malicious code that was added to the clean version of iRecorder is based on the open-source AhMyth Android RAT (remote access trojan) and has been customized into what we named AhRat," Stefanco explained.


"The iRecorder application was initially released on the Google Play Store on September 19th, 2021, offering screen recording functionality; at that time, it contained no malicious features. However, around August 2022 we detected that the app’s developer included malicious functionality in version 1.3.8. As illustrated in Figure 1, by March 2023 the app had amassed over 50,000 installations," he added.


After the initial communication, AhRat pings the C&C server every 15 minutes, requesting a new configuration file. This file contains a range of commands and configuration information to be executed and set on the targeted device, including the file system location from which to extract user data, the file types with particular extensions to extract, a file size limit, the duration of microphone recordings (as set by the C&C server; during analysis it was set to 60 seconds), and the interval of time to wait between recordings – 15 minutes – which is also when the new configuration file is received from the C&C server.


Meanwhile, AhRat has not been detected anywhere else in the wild. However, this is not the first time that AhMyth-based Android malware has been available on Google Play. The researchers had previously published a report on such a trojanized app in 2019. Back then, the spyware, built on the foundations of AhMyth, circumvented Google’s app-vetting process twice, as a malicious app providing radio streaming.