"Legitimate Android App Transforms Into Data-Snooping Malware"

iRecorder - Screen Recorder is a trojanized Android app discovered by ESET researchers. It was available as a legitimate app on Google Play in September 2021, and malicious functionality was likely introduced in August 2022. During its existence, more than 50,000 devices installed the app. The malicious code that was introduced to the clean version of iRecorder is based on the open-source AhMyth Android Remote Access Trojan (RAT) and has been changed into what ESET researchers call AhRat. The malicious app's ability to record audio using the device's microphone and steal files suggests it may be part of an espionage operation. Other than the Google Play Store, ESET Research has not found AhRat in the wild. However, this is not the first time AhMyth-based Android malware has been available on the official store. In 2019, ESET published research on a similar trojanized app. In the past, the spyware, which was based on AhMyth, circumvented Google's app-vetting process twice as a malicious app that provided radio streaming. However, the iRecorder app is also available on unofficial and alternative Android markets, and the developer offers other apps on Google Play that do not contain malicious code. This article continues to discuss findings regarding the trojanized Android app iRecorder – Screen Recorder. 

Help Net Security reports "Legitimate Android App Transforms Into Data-Snooping Malware"