AhRat Malware Strikes Again with Trojanized Screen Recording App
ESET malware researchers have made a disturbing discovery—a new remote access trojan (RAT) lurking within an Android screen recording app available on the Google Play Store. Initially added to the store in September 2021, the app named ‘iRecorder – Screen Recorder’ fell victim to a malicious update released nearly a year later in August 2022.
iRecorder entry in Google Play (ESET)
Cleverly leveraging its name, the app successfully requested permissions to record audio and access files on infected devices, cleverly aligning with the expected functionalities of a legitimate screen recording tool. Unfortunately, this led to over 50,000 installations of the app on the Google Play Store, leaving users vulnerable to malware infections.
Following ESET’s notification about the app’s malicious behavior, the Google Play security team promptly removed it from the store. However, it is crucial to note that the iRecorder app may still be found on alternative and unofficial Android markets. Additionally, it’s worth mentioning that while the iRecorder developer offers other applications on Google Play, those do not contain any malicious code.
The malware in question, known as AhRat, is an Android RAT based on the open-source AhMyth RAT. AhRat exhibits a broad range of capabilities, including location tracking of infected devices, stealing call logs, contacts, and text messages, sending SMS messages, capturing images, and recording background audio.
See Also: So you want to be a hacker?
Offensive Security, Bug Bounty Courses
Upon closer examination, ESET researchers found that the malicious screen recording app utilized only a subset of AhRat’s capabilities. Its primary purpose was to create and extract ambient sound recordings, along with stealing files with specific extensions—indicative of potential espionage activities.
This isn’t the first instance of AhMyth-based Android malware infiltrating the Google Play store. In 2019, ESET exposed another AhMyth-trojanized app that managed to deceive Google’s app-vetting process twice by posing as a radio streaming app.
Trending: Recon Tool: Dome
While the AhMyth RAT has been previously associated with Transparent Tribe (also known as APT36)—a cyberespionage group employing sophisticated social engineering techniques to target government and military organizations in South Asia—there is currently no evidence linking the present samples to any specific group or known advanced persistent threat (APT) actor.
Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?
If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com