Researchers recently uncovered a Google Play Store app that was updated to include a malicious functionality. According to the report, a specific update of the app introduced AhMyth-based malware, allowing it to access users’ files on their devices. The app is no longer available on the app platform but managed to reach up to 50,000 downloads after it launched in September 2021.
Google’s Play Store is no exception for malware-laced apps. According to researchers at ESET, an app called “iRecorder — Screen Recorder” managed to enter the platform and later implemented an update to push malware. ESET researchers named the customized malicious code based on the open-source AhMyth Android RAT (remote access trojan) “AhRat.” Lukas Stefanko, the main researcher who discovered the malware in the app, said, “It is rare for a developer to upload a legitimate app, wait almost a year, and then update it with malicious code.”
The app was initially meant to allow users to perform screen recording functions by giving it permission to the device’s audio recording. However, the report stresses that the app turned harmful after reaching version 1.3.8, which introduced the AhRat. With this, it is recommended for those who have downloaded the iRecorder app to remove it from their devices.
“Aside from providing legitimate screen recording functionality, the malicious iRecorder can record surrounding audio from the device’s microphone and upload it to the attacker’s command and control (C&C) server,” Stefanko wrote. “It can also exfiltrate files with extensions representing saved web pages, images, audio, video, and document files, and file formats used for compressing multiple files, from the device. The app’s specific malicious behavior – exfiltrating microphone recordings and stealing files with specific extensions – tends to suggest that it is part of an espionage campaign. However, we were not able to attribute the app to any particular malicious group.”
The app was removed from the platform after the report was shared by ESET, but the app was already downloaded 50,000 times. Also, it reportedly remains available on other Android platforms, which means the app’s download number continues to increase. As the report indicated, getting version 1.3.8 of the app, either manually or automatically, would mean exposure to the malware “even without granting any further app permission approval.”
Interestingly, Stefanko noted that the app developer also offers other apps on Google Play that don’t contain malicious code. It is unclear if the malicious code was injected by the developer itself or others, but the former’s other creations are now questionable. As noted above, the malicious code was only introduced a year after the iRecorder app was listed on Google Play. This opens the possibility that it could also be the case for the developer’s other apps in the future.