ESET researchers discovered an Android application called iRecorder – Screen Recorder that contained a Trojan horse. It was available as a legitimate app on Google Play in September 2021 and the malicious function was believed to have been added in August 2022.
During its existence, the application was installed on more than 50,000 devices. The malicious code added to the clean version of iRecorder is based on the open source Android remote access trojan AhMyth and has been modified to become what ESET calls AhRat. The malicious app is able to record audio via the device’s microphone and steal files, suggesting that it could be part of a spying campaign.
Except for the Google Play Store, ESET Research did not discover AhRat anywhere else. However, this is not the first time AhMyth-based Android malware has appeared on the official App Store. ESET published studies on such an application back in 2019. At that time, AhMyth-based spyware twice bypassed Google’s application verification process in the form of a malware application that enabled streaming radio listening. The iRecorder application is also available on alternative and unofficial Android markets, and the developer also provides other applications on Google Play, but they do not contain any malicious code.
AhRat is an adaptation of the open-source remote access trojan AhMyth. This means that the authors of the rogue application have made significant efforts to understand the application code and backend in order to eventually customize it to their own needs.
Aside from the legitimate screen recording functionality, the rogue version of iRecorder is able to record ambient sounds from the device’s microphone and transmit them to the attacker’s command and control server. It can also exfiltrate files from the device whose extensions represent saved web pages, images, audio and video files, documents, as well as file formats used to compress multiple files.
Android users who had installed an older version of iRecorder (prior to version 1.3.8) that did not contain malicious features would have unknowingly exposed their device to AhRat if they then updated the app manually or automatically, even without granting other permissions .
Your name or nickname:
Your comments :