The update allowed the app to go from being a screen recording one to being able to extract microphone recordings and stealing files with specific extensions (Picture: Unsplash)
Security experts have discovered a seemingly innocent screen recording app on the Google Play Store that transformed into a spy app months later.
Researchers at cybersecurity company, ESET said they discovered the ‘trojanized Android app’ had been available on the Google Play store with over 50,000 installs.
The app, named ‘iRecorder – Screen Recorder’, was initially uploaded to do just that in 2021. However, a malicious functionality to enable spying on users was later implemented in August 2022.
‘What is quite uncommon is that the application received an update containing malicious code quite a few months after its launch,’ said Lukas Stefanko, an ESET researcher.
The update allowed the app to go from being a screen recording one to being able to extract microphone recordings and steal files with specific extensions.
According to Stefanko, this indicates its involvement in an espionage campaign. However, he was not able to attribute the app to any particular malicious group.
The malicious app was downloaded over 50,000 downloads before it was removed from Google Play after it was reported.
‘It is rare for a developer to upload a legitimate app, wait almost a year, and then update it with malicious code,’ said Stefanko.
The app, named ‘iRecorder – Screen Recorder’, was installed over 50,000 times (Picture: ESET)
The researchers identified that the malicious code added to the clean version of iRecorder was based on the open-source AhMyth Android RAT (remote access trojan) and customized into what they named ‘AhRat’.
Aside from providing legitimate screen recording functionality, iRecorder was eventually able to record surrounding audio from the users’ microphones and upload it to the attacker’s server.
It was also capturing files with extensions representing saved web pages, images, audio, video, and document files, and file formats used for compressing multiple files, from the device.
Besides this one case, AhRat has not been detected anywhere else in the wild. However, this is not the first time that AhMyth-based Android malware has been available on Google Play.
In 2019, ESET published research on a trojanized spyware app built on the foundations of AhMyth that circumvented Google’s app-vetting process twice by posing as a radio streaming app.
‘We don’t allow apps that maliciously target users for information, or purposefully try to defraud or cause harm,’ said Google.
‘Anyone who believes they have found an app that violates our rules can report it to Google Play. When violations are found, we take appropriate action.’
MORE : China-backed hacker group spying on US critical systems, warns Microsoft
MORE : Woman hired private detective to spy on boss she was obsessed with
The app was able to record audio from users’ microphones.