Malicious Android App 'iRecorder' Exposed 50,000 Users to AhRat Trojan
ESET researchers have discovered a malicious Android app, iRecorder - Screen Recorder, available on the Google Play Store. Dubbed AhRat, the app has been downloaded over 50,000 times, exposing users who updated to version 1.3.8 or later to the Trojan. The app, linked to a group known as 'AhMyth', is based on the open-source AhMyth Android RAT.
AhRat was initially a legitimate app, released on the Google Play Store in September 2021. However, its malicious functionality was added in August 2022. The app can record audio using the device's microphone and steal files, suggesting it might be part of an espionage campaign. ESET removed the malicious app from the Google Play Store after their discovery. App hibernation, introduced in Android 11 and later, can prevent malicious apps like AhRat from functioning as intended.
This is not the first AhMyth-based Android malware found on the official store. The developer behind AhRat is linked to the 'AhMyth' group, which was once an official provider on the Google Play Store. No concrete evidence has been found to attribute this activity to a particular campaign or APT group.
AhRat, a malicious Android app disguised as a screen recorder, has been removed from the Google Play Store. Users are advised to update their apps regularly and be cautious of apps with fewer reviews or those requesting excessive permissions. Further research is needed to determine the full extent and purpose of this malicious activity.
