AhRat spyware hidden in screen recording app found on Google Play

ESET cybersecurity experts revealed new spy trojan (RAT) V Google Playwhich was hiding in an Android screen recording app with tens of thousands of installations.

An app called “iRecorder – Screen Recorder” appeared on the store in September 2021, but was likely infected through a malicious update released almost a year after the original publication, in August 2022. At the time the application was discovered by specialists and removed from Google Play, it had over 50,000 installations.

Screenshot of an infected application

The name and purpose of the application allowed it to ask users for permission to record sound and access files without suspicion, as this corresponded to the expected capabilities of a screen recording tool.

The malware, which ESET has named AhRat, is based on the open source Android RAT known as AhMyth. It has a wide range of capabilities, including but not limited to: tracking the location of infected devices, stealing call logs, contacts, and text messages, sending SMS messages, taking photos, and recording background audio.

Upon closer examination, ESET found that the malware itself used only part of the capabilities of the RAT, as it was only used to create and display ambient sound recordings and steal files with certain extensions, indicating potential spying activity.

This is far from the first case of AhMyth-based malware penetrating Google Play. ESET researchers back in 2019 told in detail about another AhMyth-infected app that tricked Google’s app review process twice to masquerade as a radio streaming app.

AhMyth’s previously open source code was used by the Transparent Tribe hackers, also known as APT36, a cyber-espionage group known for its extensive use of social engineering techniques targeting government and military organizations in South Asia. However, we cannot attribute the current AhMyth sample to any particular group of attackers,” said Lukas Stefanko, ESET researcher.