HQ/EMEAFind out how we can help your business
A screen recording Android app named ‘iRecorder – Screen Recorder’, which had garnered over 50,000 downloads on Google Play, have collected victim information through a trojanisation attack. Initially launched on the platform in September 2021, the app took an ominous turn with its version 1.3.8 update in August of the same year by infecting users with the AhRat spyware.
This update discreetly introduced AhRat, an insidious remote access trojan based on AhMyth – injecting malicious functionality into the unsuspecting application. This issue is a reminder of the ongoing threats lurking within the mobile app ecosystem that needs vigilant security measures.
AhRat spyware can stealthily record audio through the device’s microphones and extract the recorded files, indicating potential involvements in espionage activities.
While the AhMyth remote access trojan, upon which AhRat is based, has been linked to APT36, the specific AhRat variant observed in this case remains unattributed to any known Advanced Persistent Threat (APT) Groups.
The initial iteration of the iRecorder app featured sections of unaltered code from the malicious AhMyth RAT. The subsequent version, however, introduced a customised variant called AhRat. Both versions exhibited a more limited range of malicious functionalities than AhMyth RAT, including extracting call logs, contacts, and messages, sending messages, tracking device location, listing device files, recording audio, and capturing photos.
Notably, iRecorder, as a video recording app, held the necessary permissions to access device files and record audio, enabling the malware to operate seamlessly within the device without arousing suspicion.
Researchers have discovered that the malware, operated through commands from its C2 server, could extract various types of files, including audio and video files, documents, web pages, and archive files. The intention behind this malic ious functionality remains unclear.
Either the app developer intentionally built a user base before compromising the Android devices through an update, or a malicious actor introduced harmful changes to the app. However, there is no concrete evidence yet supporting either assumption.
The investigation highlights the importance of remaining cautious against malware threats and the need for robust security measures to protect user devices.
