ESET researchers have uncovered a new remote access trojan (RAT) named AhRat hidden within the ‘iRecorder – Screen Recorder’ app on the Google Play Store. The app, which had accumulated over 50,000 installations before being removed, was likely trojanized through a malicious update released in August 2022.
The RAT, based on the AhMyth open-source Android RAT, possesses various capabilities, such as location tracking, call log and text message theft, SMS sending, image capture, and background audio recording.
Upon analysis, ESET found that the malicious screen recording app utilized only a subset of the RAT’s functions, focusing on creating and exfiltrating ambient sound recordings and stealing specific file extensions, indicating potential espionage activities.
This incident is not the first instance of AhMyth-based Android malware infiltrating the Google Play Store; in 2019, ESET disclosed details about another AhMyth-trojanized app that successfully bypassed Google’s app-vetting process by posing as a radio streaming app.
Although AhMyth has been associated with the Transparent Tribe (APT36) cyberespionage group, known for targeting government and military organizations in South Asia using social engineering techniques, ESET researchers have not attributed the current samples to any specific group or known APT.
It is worth noting that while the iRecorder app has been removed from the official Google Play Store, it may still be present on alternative and unofficial Android markets. ESET urges users to exercise caution and emphasizes that other applications by the iRecorder developer on Google Play do not contain malicious code.
