ESET cybersecurity experts have discovered an Android application that had been spying on users for months.

Cybersecurity experts from ESET have published a report where they tell how an android appsafe with the naked eye and that accumulated more than 50,000 downloads in Google Playwent from being a simple app to record mobile screen to endanger thousands of users through malicious software.

The most striking thing about this case is that the application did not contain any code related to the Trojan at the time of being published on the Google Play Store in September 2021. It was a year later when the developer updated the app to introduce the malicious code, capable of extract voice recordings captured with the microphone mobile and gain access to sensitive information stored on the device.

AhRat, the malware that remained hidden in Google Play spying on Android users

As the researchers have explained, the application, published on Google Play in 2019 under the name iRecorder – Screen Recorderit had the functionality that was advertised in its description in the store, and did not appear to include any malicious features. In fact, the User ratings of the app were generally positive.

It was in August 2022, with the arrival of the version 1.3.8 when the malicious code was added to the application. When analyzing its operation, the app was able to use the device’s microphone to listen to what is happening around you, and then send the recordings to the attacker’s control server. Previously, the user must have given the app permission to access the microphone (a type of permission that, on the other hand, is frequently requested by this type of application and should not lead to suspicion).

Although, unfortunately, the problems do not end there. The application also requested access to content stored in the phone storage, which was subsequently exploited to send files with specific extensions to the same server to which the recordings were sent. For this reason, the researchers believe that the malware, dubbed AhRat, is part of a espionage campaign about which not much is known so far. It is also unclear who is behind this specific threat.

After discovering the malware in the Google Play Store catalogue, from ESET they informed Google and the team in charge of the store has already removed iRecorder from the Play Store. However, since the application was downloaded more than 50,000 times, it is possible that today it could still be present on some devices. In addition, it has been discovered that the app was also distributed through alternative app stores.