The Google Play app was downloaded 50,000 times and made secret microphone recordings every 15 minutes.

Soon: An effective way for a malicious Android app in the Play Store to avoid Google detections is to arrive as a clean and legitimate program before malware elements are deployed at a later date. That’s what happened with iRecorder – Screen Recorder. The app, which was downloaded 50,000 times, secretly made audio recordings with a device’s microphone every 15 minutes and sent them to an attacker.

ESET researcher Lukas Stefanko discovered that iRecorder – Screen Recorder had been trojanized within the last year. The app first arrived on Google Play in September 2021, when it was free of malicious elements, but that changed when the version 1.3.8 update arrived in August 2022.

The malicious code added to the app is based on the open source AhMyth Android RAT (Remote Access Trojan) malware that can steal data from devices, including contacts, SMS messages, call logs, browser histories, device location, and screenshots. But the developer’s custom version, which ESET dubbed AhRat, had limited functionality.

The insidious aspect of AhRat is its ability to record surrounding audio from the device’s microphone every 15 minutes and upload it to the attacker’s command and control (C&C) server.

Only six of the app’s 18 capabilities had been implemented, suggesting that AhRat was a work in progress that could have added some of the additional features found in AhMyth, such as keylogger, location tracking, and screenshot capture. , at a later date.

Not only was the app downloaded over 50,000 times, but it earned a respectable 4.2-star rating on Google Play, likely as a result of being safe for so long. A low score with a lot of user reviews is usually a red flag.

Being able to record and send audio at short intervals is an unusual feature. Stefanko suggests that it could be part of an espionage campaign, especially since the open source AhMyth had previously been used by Transparent Tribe, a spy group known for targeting government and military organizations in South Asia. However, there is no evidence that AhRat is linked to that group, nor is it clear if the app was designed to spy on a specific group of people.

Coffeeholic Dev, the developer of the app, had other apps in the store that showed no signs of malware, but those items might have been added at some point in the future, as was the case with iRecorder – Screen Recorder. We won’t be able to find out as Google has removed all of its apps.