• Mon. Oct 23rd, 2023

AhRat Spyware Trojan Concealed Within Screen Recording App Discovered on Google Play

Avatar photo

ByEsme Greene

Aug 8, 2023
AhRat Spyware in Google Play Screen Recording
Esme Greene
Latest posts by Esme Greene (see all)

Cybersecurity experts at ESET have recently uncovered a new spyware Trojan (RAT) lurking within an Android screen recording app available on Google Play. This malicious app, named “iRecorder – Screen Recorder,” had amassed tens of thousands of installations before its discovery.

Malicious Update Infects Screen Recording App with AhRat Spyware on Google Play

The app initially appeared on the store in September 2021, but it seems to have been infected with the spyware through a malicious update released in August 2022, almost a year later. By the time security experts identified and removed the app from Google Play, it had already garnered over 50,000 installations.

The app’s innocuous name and intended functionality made it unsuspecting to users, allowing it to request permissions for audio recording and file access without raising any red flags. Its capabilities aligned with those expected from a legitimate screen recording tool.

ESET, referring to the malware as AhRat, determined that it is built upon an open-source Android RAT called AhMyth. This potent malware possesses a broad array of features, including but not limited to location tracking, theft of call logs, contacts, and text messages, sending unauthorized SMS messages, capturing photos, and recording background audio.

Upon closer analysis, ESET researchers observed that the malicious app utilized only a fraction of the RAT’s capabilities, primarily focusing on creating and displaying ambient sound recordings and pilfering specific file types. These findings indicate potential spyware activity.

It’s not the first time Google Play has been compromised by spyware built on AhMyth. 2019 saw the disclosure of another AhMyth-infected app that, by pretending to be a streaming radio app, was able to trick Google’s app certification process twice.

Lucas Stefanko, an ESET researcher, commented:

“AhMyth’s open-source code had previously been abused by Transparent Tribe hackers, commonly known as APT36, a cyber espionage outfit notorious for using social engineering methods and concentrating its attacks on South Asian governmental and military institutions. The latest AhMyth variation, however, cannot be firmly linked to a particular gang of attackers.”

Avatar photo

Esme Greene

Esme brings a wealth of knowledge and experience to our website, specializing in all aspects of DarkWeb security. With a deep understanding of the intricate workings of the DarkWeb and its associated cybersecurity risks, Esme curates insightful and informative content for our readers.