ESET researchers have discovered a trojanized Android app called iRecorder – Screen Recorder that was available on the Google Play Store as a legitimate app in September 2021. However, in August 2022, malicious functionality was added to the app. The app, named AhRat by ESET, is based on the open-source AhMyth Android RAT (remote access trojan) and has been customized for malicious purposes. It is capable of recording audio using the device’s microphone and stealing files, indicating that it may be part of an espionage campaign. The app was installed on over 50,000 devices during its existence.
While ESET researchers have not detected AhRat outside of the Google Play Store, this is not the first time that Android malware based on AhMyth has been found on the official store. In 2019, ESET published research on a trojanized app that used AhMyth as its foundation and managed to bypass Google’s app-vetting process. The iRecorder app can also be found on unofficial Android markets, but the developer’s other applications on the Google Play Store do not contain malicious code.
The AhRat malware is a customized version of the open-source AhMyth RAT, indicating that the authors put effort into understanding the code and adapting it to their needs. In addition to legitimate screen recording functionality, the malicious iRecorder app can record audio from the device’s microphone and upload it to a command and control server controlled by the attacker. It can also steal various file types, including web pages, images, audio, video, and document files.
Users who installed an earlier version of iRecorder (before version 1.3.8) without malicious features would have unknowingly exposed their devices to AhRat if they subsequently updated the app. This update could occur manually or automatically without requiring further permission approval.
Preventive measures against such malicious actions have been implemented in Android 11 and higher versions through app hibernation. This feature places dormant apps into a hibernation state after several months, resetting their runtime permissions and preventing malicious apps from functioning as intended.
ESET alerted Google, and the malicious app was removed from the Google Play Store. However, it is important to have multiple layers of protection, such as ESET Mobile Security, to safeguard devices against potential security breaches.
As of now, ESET has not found concrete evidence to attribute this activity to a specific campaign or APT (Advanced Persistent Threat) group.

You must log in to post a comment.