ESET researchers have recently unearthed an Android app that harbors a Trojan horse within its coding. The app, christened iRecorder – Screen Recorder, boasted over 50,000 installations from the Google Play store. Interestingly, this software was introduced to the store on September 19, 2021, without any harmful components. However, signs point towards the integration of malevolent functionality around August 2022, likely with version 1.3.8.
This app’s trajectory is unique – the developers uploaded a legitimate version, waited almost a year, then incorporated deleterious coding into it. ESET has labeled this customized, AhMyth Android RAT-based malicious code as AhRat.
iRecorder, while offering legitimate screen recording capabilities, also encodes audio from the device’s microphone and uploads it to the malefactor’s Command and Control (C&C) server. It can pilfer files of certain formats, including saved web pages, images, audio, videos, documents, and compressed files from the device. Although there’s a hint of a wider espionage campaign, attributing this software to any specific malicious group has proved elusive.
Following ESET’s identification of the malevolent elements in the app’s most recent version and their ensuing report to Google, the app was eliminated from the store. Despite this, users should remain wary as the app is available on alternate, unofficial Android markets.
The iRecorder’s sly strategy of infiltrating devices is noteworthy. Android users who had installed an earlier, innocuous version of iRecorder were unwittingly exposed to AhRat when they updated the app.
The AhRat RAT is indeed a formidable tool, capable of an array of harmful functions. However, its capabilities observed within the iRecorder were fairly limited and cleverly fell within the app permissions model, thereby arousing no suspicions. Once installed, AhRat begins liaising with the C&C server, dispatching rudimentary device information while receiving encryption keys and an encrypted configuration file. Post this initial exchange, AhRat checks in with the C&C server every quarter of an hour to receive a new configuration file.
Despite this chilling revelation, there is a glimmer of hope. Many of the commands present in the decrypted configuration file haven’t been put into action within the app’s code. Nevertheless, the sophisticated AhRat RAT is adept at pilfering files from the device and recording audio via the device’s microphone.
To summarize, while ESET researchers were not able to assign the app to any specific malicious group, the stealthy and pervasive nature of AhRat illustrates the mounting challenge faced by cybersecurity experts and Google Play in combating increasingly sophisticated malicious software.
