Cyber-security researchers have identified a trojanised Android app that was available on Google Play store with over 50,000 installs, extracted microphone recordings and stole files with specific extensions from the users.
The app, named iRecorder-Screen Recorder, was initially uploaded to the store without malicious functionality in 2021.
"However, it appears that malicious functionality was later implemented, most likely in version 1.3.8, which was made available in August 2022," said ESET researchers.
Aside from providing legitimate screen recording functionality, the malicious iRecorder can record surrounding audio from the device's microphone and upload it to the attacker's command and control (C&C) server.
It can also exfiltrate files with extensions representing saved web pages, images, audio, video, and document files, and file formats used for compressing multiple files, from the device.
The application's specific malicious behaviour, which involves extracting microphone recordings and stealing files with specific extensions, potentially indicates its involvement in an espionage campaign, the researchers noted.
The malicious app was removed from Google Play after the researchers alerted the tech giant.
"It is rare for a developer to upload a legitimate app, wait almost a year, and then update it with malicious code. The malicious code that was added to the clean version of iRecorder is based on the open-source AhMyth Android RAT (remote access trojan) and has been customised into what we named AhRat," the team explained.
This is not the first time that AhMyth-based Android malware has been available on Google Play.
The ESET researchers previously published research on one such trojanized app in 2019.
Back then, the spyware, built on the foundations of AhMyth, circumvented Google's app-vetting process twice, as a malicious app providing radio streaming.
The research serves as a good example of how an initially legitimate application can transform into a malicious one, even after many months, spying on its users and compromising their privacy.
"While it is possible that the app developer had intended to build up a user base before compromising their Android devices through an update or that a malicious actor introduced this change in the app; so far, we have no evidence for either of these hypotheses," said the ESET team.
Also read | 1Win App Overview: How to Install the App on Android and iOS
Also read | WhatsApp bug causing some Android devices to falsely report microphone access