Android App With 50,000 Downloads in Google Play Turned Into Spyware via Update

The AhRat trojan was injected in a screen recording application that had amassed more than 50,000 downloads via Google Play.

A screen recording application that had amassed more than 50,000 downloads in Google Play was trojanized via an update last year, cybersecurity firm ESET reports.

The application, ‘iRecorder – Screen Recorder’, was initially published on Google Play in September 2021, without malicious functionality. When updated to version 1.3.8 in August last year, the AhMyth-based remote access trojan called AhRat was injected into the app.

According to ESET, the AhRat trojan, which has not been observed in the wild elsewhere, can record audio using the microphone and exfiltrate the recordings and other files from the infected devices, suggesting its use in an espionage campaign.

AhMyth is a cross-platform RAT previously used by APT36, a Pakistan-linked state-sponsored threat actor also known as Transparent Tribe and Mythic Leopard, but the ...