Android app breaking bad: From legitimate screen recording to file exfiltration within a year
ESET researchers discover AhRat – a new Android RAT based on AhMyth – that exfiltrates files and records audio
ESET researchers have discovered a trojanized Android app that had been available on the Google Play store with over 50,000 installs. The app, named iRecorder – Screen Recorder, was initially uploaded to the store without malicious functionality on September 19th, 2021. However, it appears that malicious functionality was later implemented, most likely in version 1.3.8, which was made available in August 2022.
Key points of the blogpost:
As a Google App Defense Alliance partner, we detected a trojanized app available on the Google Play Store; we named the AhMyth-based malware it contained AhRat.
Initially, the iRecorder app did not have any harmful features. What is quite uncommon is that the application received an update containing malicious code quite a few months after its launch.
The application’s specific malicious behavior, which involves extracting microphone recordings and stealing files with specific extensions, potentially indicates its involvement in an espionage campaign.
The malicious app with over 50,000 downloads was removed from Google Play after our alert; we have not detected AhRat anywhere else in the wild….
