Google recently removed an app called “iRecorder – Screen Recorder” from its Play Store after it was discovered to contain malicious code. The app had been uploaded by a developer named Coffeeholic Dev almost a year earlier, in September 2021. It had been downloaded over 50,000 times, with the malicious functionality believed to have been added in version 1.3.8, released on August 24, 2022.
The malicious code was based on the open source AhMyth Android RAT (Remote Access Trojan) and had been customized into what researchers named AhRat. It was able to extract microphone recordings and harvest files with specific extensions, indicating a possible espionage motive. Although there is no evidence connecting the activity to any known threat actor, AhMyth has been previously used by Transparent Tribe in attacks targeting South Asia.
This case is an example of a technique called versioning, which involves uploading a clean version of the app to the Play Store to build trust and then adding malicious code at a later stage via app updates, in order to evade detection. It serves as a reminder of how an initially legitimate application can transform into a malicious one, even after many months, and spy on its users.
Source: Hackernews
To mitigate potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net or you can try your self using check.website.