The iRecorder - Screen Recorder app on Google Play Store was found to have information stealing capabilities nearly a year after it was published as an innocuous app. The app had over 50,000 installations and the malicious functionality was introduced in version 1.3.8, which was released on August 24, 2022. The malicious code was based on the open source AhMyth Android RAT and was customized into what was named AhRat. This development is an example of malware adopting a technique called versioning, which refers to uploading a clean version of the app to the Play Store to build trust among users and then adding malicious code at a later stage via app updates, in a bid to slip through the app review process.

• iRecorder - Screen Recorder app on Google Play Store had information stealing capabilities
• Malicious functionality was introduced in version 1.3.8, which was released on August 24, 2022
• Malicious code was based on the open source AhMyth Android RAT and was customized into what was named AhRat
• Malware adopting a technique called versioning to slip through the app review process