In the digital world, what’s useful today can become harmful tomorrow. Unfortunately, this is precisely what happened with iRecorder – Screen Recorder. This screen-recording Android application with over 50,000 installs was launched in September 2021 as a legitimate app.
However, the app now contains a new Android remote access Trojan (RAT) based on AhMyth. This open-source remote administration tool can be used to access informational data from an Android device, cybersecurity vendor ESET found on May 23, 2023.
The RAT, which ESET researchers called AhRat, can exfiltrate files with specific extensions and microphone recordings and upload them to the attacker’s command and control (C2) server. The malicious code was likely added when the app was updated to version 1.3.8, made available in August 2022.
The ESET researchers noted that while malicious Android apps are legion, adding malicious code to a legitimate app is much more uncommon.
“The application’s specific malicious behavior potentially indicates its involvement in an espionage campaign,” the research report reads.
AhMyth has been used by Transparent Tribe, also known as APT36, a cyber espionage group known for its extensive use of social engineering techniques and targeting of government and military organizations in South Asia.
“Nevertheless, we cannot ascribe the current samples to any specific group, and there are no indications that they were produced by a known advanced persistent threat (APT) group,” the researchers insisted in the report.
The Google Play security team removed the app from its store after being notified by ESET, a member of the Google App Defense Alliance.
“However, it is important to note that the app can also be found on alternative and unofficial Android markets. In addition, the iRecorder developer also provides other applications on Google Play, but they don’t contain malicious code.”
The researchers have not yet detected AhRat anywhere else in the world.