ESET researchers found a trojanized Android app within the Google Play store.
Unbeknownst to its over 50,000 users, the innocuously named iRecorder – Screen Recorder app had transformed into a stealthy Android RAT (remote access trojan) known as AhRat.
The iRecorder app started innocently, offering users a convenient screen recording function. But later updates made it a malicious Android application on the Google Play Store.
The developers clandestinely introduced malicious functionality, most likely in version 1.3.8, released in August 2022. ESET, in their role as a Google App Defense Alliance partner, detected this shift, naming the malware laced in the trojanized Android app as AhRat.
What sets this trojanized Android app incident apart is the unusual delay between the app’s initial release and the introduction of malicious code, making it a perplexing case for researchers.
A new Android RAT campaign by threat actors
ESET’s analysis reveals that AhRat infiltrates files with particular extensions and records audio captured by the device’s microphone.
The combination of these actions strongly suggests involvement in an espionage campaign. The app stealthily seizes various file types, including web pages, images, audio, video, document files, and compressed formats. These findings underscore the alarming potential for unauthorized access to sensitive user information.
While AhRat may be a new entrant in the realm of Android RATs, it is not the first time the AhMyth framework has compromised the Google Play store.
ESET researchers previously uncovered a trojanized app in 2019, demonstrating how the spyware built on the AhMyth foundations managed to bypass Google’s app-vetting process by posing as a radio streaming service.
The re-emergence of AhMyth-based malware underscores the persistent challenges app stores face in combating sophisticated threats.
Thanks to ESET’s partnership with the Google App Defense Alliance, the malicious iRecorder app was swiftly identified, and its findings were promptly shared with Google.
As a result, the app was quickly removed from the Google Play store, mitigating potential harm to unsuspecting users.
This collaborative effort showcases the importance of constant vigilance and rapid response to address the ever-evolving landscape of mobile malware threats.
Staying safe from the trojanized Android app trouble
The discovery of AhRat in iRecorder is a important reminder of the risks lurking in the vast ecosystem of mobile apps. Here are some essential steps to enhance mobile security:
- Download apps from reputable sources like the official app stores to minimize the risk of encountering trojanized or malicious applications.
- Before installing any app, check user reviews and ratings to identify potential red flags or reported issues.
- Keep your device’s operating system and apps up to date.
- Install a reliable mobile security solution that provides real-time protection against malware, including Android RATs like AhRat.
A wake-up call for Android users
While the Android platform provides more features and customizations than iOS, it also has its drawbacks. The ESET Android RAT research about AhRat infiltrating the iRecorder app serves as a wake-up call for Android smartphone users.
These campaigns underscore the importance of caution while installing apps and maintaining a robust security posture. By staying informed, adopting security best practices, and relying on reputable security solutions, we can confidently navigate the mobile app jungle and protect ourselves from hidden threats such as Android RATs.
This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.