A malicious Android remote access Trojan (RAT) was revealed to be hidden inside the iRecorder – Screen Recorder application, which was at one time considered to be a genuine Android application. This discovery was made by cybersecurity professionals from ESET, who uncovered a variation of AhMyth. AhMyth is an open-source remote administration application that is capable of retrieving sensitive data from Android devices.
iRecorder – Screen Recorder gave off the impression that it was a risk-free app for capturing screen activity when it was first released in September 2021 and boasted over 50,000 installations. However, the most current investigation carried out by ESET has uncovered the existence of a harmful code inside the app’s most recent update, which was released as version 1.3.8 in August 2022. The remote access tool (RAT), given the name AhRat by the researchers at ESET, has the capability to exfiltrate files that have certain extensions as well as microphone recordings and upload them to the command and control (C2) server of the attacker. It is probable that the harmful code was included when the program was upgraded to version 1.3.8 in August 2022, which was made accessible to users. However, Android users who had installed an earlier version of iRecorder (prior to version 1.3.8), which did not contain any malicious features, would have unknowingly exposed their devices to AhRat if they subsequently updated the app either manually or automatically, even if they did not grant any further app permission approval. This was the case even if they did not grant any further app permission approval.
According to the findings of the ESET researchers, the addition of harmful code to a legal app is considerably more infrequent than the prevalence of malicious Android applications themselves.A cyber espionage group known as Transparent Tribe, also known as APT36, has been found to have utilized AhMyth. This group is notorious for its extensive use of social engineering tactics as well as its targeting of government and military institutions in South Asian countries.
During the course of the investigation, they came across two distinct variants of malicious malware that were based on AhMyth RAT. The first version of iRecorder that was malicious had bits of AhMyth RAT’s malicious code that had been copied without any adjustments being made. The second malicious version, which they have given the name AhRat, was also accessible on Google Play. The AhMyth code that it included had been modified, and this included the connection between the C&C server and the backdoor as well as the malware itself. iRecorder is the only app that has been found to have this particular piece of modified code.
AhMyth RAT is a powerful tool that is capable of performing a variety of harmful operations. These capabilities include acquiring a list of files on the device, determining the position of the device, exfiltrating call logs, contacts, and text messages, obtaining a list of files on the device, and sending SMS messages, recording audio, and capturing photographs. However, in both versions of the AhMyth RAT that were examined here, they found just a small subset of the dangerous characteristics that were included in the original AhMyth RAT. These features looked to fit inside the previously stated app permissions model, which allows access to the files stored on the device and authorizes the recording of audio. Additionally, access is granted to the camera’s recording capabilities. Notably, the malicious program had the capability to capture videos, therefore it was to be anticipated that it would inquire about obtaining permission to record audio and save it to the device. After being installed, the malicious program acted in the same manner as a conventional app and did not seek any unusual or additional permissions, which would have been a potential indicator of its harmful purpose.
Following receipt of information from ESET, the security team at Google Play swiftly deleted the iRecorder – Screen Recorder app from its official store. It is important to note, however, that the application can still be obtainable in Android marketplaces that are not officially sanctioned by Google. The developer that is responsible for iRecorder has additional programs that are available on Google Play; however, there is no proof that any of those applications include harmful code.
Researchers from ESET have, fortunately, not yet found any cases of AhRat that go beyond the capabilities of the iRecorder – Screen Recorder program. Users of Android are cautioned to stay cautious and exercise care when installing applications from alternative sources, and it is emphasized how important it is to depend on approved app stores for increased levels of security.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.