ESET researchers have discovered a malware Android app, IRecorder, which had been downloaded on 50,000 devices.
IRecorder, Screen Recorder was available on Google Play as a legitimate app in September 2021, with research suggesting malicious functionality was most likely added in August 2022.
During its existence, the app was installed on more than 50,000 devices.
The malicious code added to the clean version of iRecorder is based on the open-source AhMyth Android RAT (remote access trojan) and has been customised into what ESET named AhRat.
The malicious app became capable of recording audio using the device's microphone and stealing files, suggesting it might be part of an espionage movement.
Besides the Google Play Store, ESET Research has not detected AhRat applied anywhere else, although this is not the first time it has been found in the official store.
ESET previously published research on such a trojanised app in 2019, where the spyware was built on the foundations of AhMyth. The app provided radio streaming and circumvented Google's app-vetting process twice.
Lukáš Štefanko, the ESET researcher who discovered and investigated the threat, explains: "The AhRat research case serves as a good example of how an initially legitimate application can transform into a malicious one, even after many months, spying on its users and compromising their privacy."
"While it is possible that the app developer had intended to build up a user base before compromising their Android devices through an update or that a malicious actor introduced this change in the app, so far, we have no evidence for either of these hypotheses."
The remotely controlled AhRat is a customisation of the open-source AhMyth RAT, which reflects that the authors of the malicious app invested significant effort into understanding the code of both the app and the back end, ultimately adapting it to suit their own needs.
Aside from providing legitimate screen recording functionality, the malicious iRecorder can record surrounding audio from the device's microphone and upload it to the attacker's command and control server.
It can also exfiltrate from the device files with extensions representing saved web pages, images, audio, video, document files, and formats for compressing multiple files.
Android users who installed an earlier version of iRecorder (before version 1.3.8), which lacked any malicious features, would have unknowingly exposed their devices to AhRat if they later updated the app, even without granting further app permission approval.
Štefanko continues: "Fortunately, preventive measures against such malicious actions have already been implemented in Android 11 and higher versions in the form of app hibernation."
"This feature effectively places apps that have been dormant for several months into a hibernation state, resetting their runtime permissions and preventing malicious apps from functioning as intended."
"The malicious app was removed from Google Play after our alert, which confirms that the need for protection to be provided through multiple layers, such as ESET Mobile Security, remains essential for safeguarding devices against potential security breaches."
ESET Research hasn't yet found any conclusive proof allowing this activity to be linked to a specific campaign or APT group.
The IRecorder app, free of malicious code, can be found on alternative and unofficial Android markets, with the developer providing other applications on Google Play.