Image: Bing Image Creator

ESET malware researchers have discovered a new Remote Access Trojan (RAT) on the Google Play Store, hidden inside an Android screen recording app with tens of thousands of installs.

Although it was first added to the store in September 2021, the “iRecorder – Screen Recorder” application was likely infected with a Trojan via a malicious update released almost a year later. in August 2022.

The app’s name made it easier to request permission to record audio and access files on infected devices, as the request matched the capabilities expected of a voice recording tool. screen.

Prior to its removal, the app racked up over 50,000 installs on the Google Play Store, exposing users to malware infections.

“Following our notification of iRecorder’s malicious behavior, the Google Play security team removed it from the store,” said Lukas Stefanko, Malware Researcher at ESET. said.

“However, it is important to note that the app can also be found on alternative and unofficial Android marketplaces. Developer iRecorder also provides other apps on Google Play, but they do not contain malicious code.”

The malware in question, named AhRat by ESET, is based on an open-source Android RAT known as AhMyth.

It has a wide range of features including but not limited to tracking the location of infected devices, stealing call logs, contacts and text messages, sending messages SMS, photo taking and audio recording in the background.

Upon further investigation, ESET discovered that the malicious screen recording app itself only used a subset of the RAT’s capabilities as it was only used to create and exfiltrate sound recordings ambient and to steal files with specific extensions, hinting at potential spying activities.

This is not the first time that Android malware based on AhMyth has infiltrated the Google Play store. ESET too details published in 2019 about another AhMyth trojan app that tricked Google’s app verification process twice by pretending to be a radio broadcast app.

“Previously, the open-source AhMyth was employed by Transparent Tribe, also known as APT36, a cyber espionage group known for its extensive use of social engineering techniques and targeting government and military organizations in South Asia,” Stefanko said.

“However, we cannot attribute the current samples to a specific group, and there is no indication that they were produced by any known Advanced Persistent Threat (APT) group.”

Update: A Google spokesperson shared the following statement after the article was published:

When we find apps that violate our policies, we take appropriate action. Users are also protected by Google Play Protectwhich can warn users about identified malicious apps on Android devices.