Android app breaking bad: From legitimate screen recording to file exfiltration within a year

ESET researchers uncover AhRat – a brand new Android RAT based mostly on AhMyth – that exfiltrates information and data audio

ESET researchers have found a trojanized Android app that had been accessible on the Google Play retailer with over 50,000 installs. The app, named iRecorder – Display Recorder, was initially uploaded to the shop with out malicious performance on September 19th, 2021. Nevertheless, it seems that malicious performance was later applied, almost certainly in model 1.3.8, which was made accessible in August 2022.

Key factors of the blogpost:

  • As a Google App Protection Alliance companion, we detected a trojanized app accessible on the Google Play Retailer; we named the AhMyth-based malware it contained AhRat.
  • Initially, the iRecorder app didn’t have any dangerous options. What is sort of unusual is that the applying acquired an replace containing malicious code fairly a number of months after its launch.
  • The appliance’s particular malicious conduct, which includes extracting microphone recordings and stealing information with particular extensions, doubtlessly signifies its involvement in an espionage marketing campaign.
  • The malicious app with over 50,000 downloads was faraway from Google Play after our alert; we have now not detected AhRat anyplace else within the wild.

It’s uncommon for a developer to add a reliable app, wait virtually a 12 months, after which replace it with malicious code. The malicious code that was added to the clear model of iRecorder is predicated on the open-source AhMyth Android RAT (distant entry trojan) and has been personalized into what we named AhRat.

In addition to this one case, we have now not detected AhRat anyplace else within the wild. Nevertheless, this isn’t the primary time that AhMyth-based Android malware has been accessible on Google Play; we beforehand published our research on such a trojanized app in 2019. Again then, the adware, constructed on the foundations of AhMyth, circumvented Google’s app-vetting course of twice, as a malicious app offering radio streaming.

Overview of the app

Other than offering reliable display recording performance, the malicious iRecorder can document surrounding audio from the machine’s microphone and add it to the attacker’s command and management (C&C) server. It will possibly additionally exfiltrate information with extensions representing saved internet pages, photographs, audio, video, and doc information, and file codecs used for compressing a number of information, from the machine. The app’s particular malicious conduct – exfiltrating microphone recordings and stealing information with particular extensions – tends to counsel that it’s a part of an espionage marketing campaign. Nevertheless, we weren’t in a position to attribute the app to any explicit malicious group.

As a Google App Protection Alliance companion, ESET recognized the latest model of the applying as malicious and promptly shared its findings with Google. Following our alert, the app was faraway from the shop.


The iRecorder software was initially launched on the Google Play Retailer on September 19th, 2021, providing display recording performance; at the moment, it contained no malicious options. Nevertheless, round August 2022 we detected that the app’s developer included malicious performance in model 1.3.8. As illustrated in Determine 1, by March 2023 the app had amassed over 50,000 installations.

Determine 1. The trojanized iRecorder app

Nevertheless, Android customers who had put in an earlier model of iRecorder (previous to model 1.3.8), which lacked any malicious options, would have unknowingly uncovered their units to AhRat, in the event that they subsequently up to date the app both manually or routinely, even with out granting any additional app permission approval.

Following our notification relating to iRecorder’s malicious conduct, the Google Play safety staff eliminated it from the shop. Nevertheless, it is very important notice that the app can be discovered on various and unofficial Android markets. The iRecorder developer additionally supplies different purposes on Google Play, however they don’t include malicious code.


Beforehand, the open-source AhMyth was employed by Transparent Tribe, often known as APT36, a cyberespionage group identified for its extensive use of social engineering techniques and concentrating on authorities and navy organizations in South Asia. However, we can not ascribe the present samples to any particular group, and there aren’t any indications that they had been produced by a identified superior persistent menace (APT) group.


Throughout our evaluation, we recognized two variations of malicious code based mostly on AhMyth RAT. The primary malicious model of iRecorder contained elements of AhMyth RAT’s malicious code, copied with none modifications. The second malicious model, which we named AhRat, was additionally accessible on Google Play, and its AhMyth code was personalized, together with the code and communication between the C&C server and the backdoor. By the point of this publication, we have now not noticed AhRat in another Google Play app or elsewhere within the wild, iRecorder being the one app that has contained this personalized code.

AhMyth RAT is a potent software, able to numerous malicious capabilities, together with exfiltrating name logs, contacts, and textual content messages, acquiring a listing of information on the machine, monitoring the machine location, sending SMS messages, recording audio, and taking photos. Nevertheless, we noticed solely a restricted set of malicious options derived from the unique AhMyth RAT in each variations analyzed right here. These functionalities appeared to suit throughout the already outlined app permissions mannequin, which grants entry to information on the machine and permits recording of audio. Notably, the malicious app supplied video recording performance, so it was anticipated to ask for permission to document audio and retailer it on the machine, as proven in Determine 2. Upon set up of the malicious app, it behaved as a typical app with none particular additional permission requests which may have revealed its malicious intentions.

Determine 2. Permissions requested by the iRecorder app

After set up, AhRat begins speaking with the C&C server by sending primary machine info and receiving encryption keys and an encrypted configuration file, as seen in Determine 3. These keys are used to encrypt and decrypt the configuration file and a few of the exfiltrated information, such because the listing of information on the machine.

Determine 3. AhRat’s preliminary C&C communication

After the preliminary communication, AhRat pings the C&C server each quarter-hour, requesting a brand new configuration file. This file incorporates a variety of instructions and configuration info to be executed and set on the focused machine, together with the file system location from which to extract consumer information, the file varieties with explicit extensions to extract, a file dimension restrict, the length of microphone recordings (as set by the C&C server; throughout evaluation it was set to 60 seconds), and the interval of time to attend between recordings – quarter-hour – which can also be when the brand new configuration file is acquired from the C&C server.

Curiously, the decrypted configuration file incorporates extra instructions than AhRat is able to executing, as sure malicious performance has not been applied. This will point out that AhRat is a light-weight model just like the preliminary model that contained solely unmodified malicious code from the AhMyth RAT. Regardless of this, AhRat continues to be able to exfiltrating information from the machine and recording audio utilizing the machine’s microphone.

Primarily based on the instructions acquired within the configuration from the C&C server, AhRat ought to be able to executing 18 instructions. Nevertheless, the RAT can execute solely the six instructions from the listing under marked in daring and with an asterisk:

  • SMS
  • OTT
  • WIFI

The implementation for many of those instructions is just not included within the app’s code, however most of their names are self-explanatory, as proven additionally in Determine 4.

Determine 4. Decrypted configuration file with a listing of instructions

Throughout our evaluation, AhRat acquired instructions to exfiltrate information with extensions representing internet pages, photographs, audio, video, and doc information, and file codecs used for compressing a number of information. The file extensions are as follows: zip, rar, jpg, jpeg, jpe, jif, jfif, jfi, png, mp3, mp4, mkv, 3gp, m4v, mov, avi, gif, webp, tiff, tif, heif, heic, bmp, dib, svg, ai, eps, pdf, doc, docx, html, htm, odt, pdf, xls, xlsx, ods, ppt, pptx, and txt.

These information had been restricted to a dimension of 20 MB and had been positioned within the Obtain listing /storage/emulated/0/Obtain.

Situated information had been then uploaded to the C&C server, as seen in Determine 5.

Determine 5. File exfiltration to C&C server


The AhRat analysis serves as a great instance of how an initially reliable software can rework right into a malicious one, even after many months, spying on its customers and compromising their privateness. Whereas it’s doable that the app developer had meant to construct up a consumer base earlier than compromising their Android units by means of an replace or {that a} malicious actor launched this alteration within the app; to date, we have now no proof for both of those hypotheses.

Luckily, preventative measures towards such malicious actions have already been applied in Android 11 and better variations within the type of App hibernation. This function successfully locations apps which have been dormant for a number of months right into a hibernation state, thereby resetting their runtime permissions and stopping malicious apps from functioning as meant. The malicious app was faraway from Google Play after our alert, which confirms that the necessity for defense to be supplied by means of a number of layers, akin to ESET Cellular Safety, stays important for safeguarding units towards potential safety breaches.

The remotely managed AhRat is a customization of the open-source AhMyth RAT, which signifies that the authors of the malicious app invested important effort into understanding the code of each the app and the again finish, finally adapting it to go well with their very own wants.

AhRat’s malicious conduct, which incorporates recording audio utilizing the machine’s microphone and stealing information with particular extensions, would possibly point out that it was a part of an espionage marketing campaign. Nevertheless, we have now but to search out any concrete proof that might allow us to attribute this exercise to a selected marketing campaign or APT group.



SHA-1 Package deal identify ESET detection identify Description
C73AFFAF6A9372C12D995843CC98E2ABC219F162 Android/Spy.AhRat.A AhRat backdoor.
E97C7AC722D30CCE5B6CC64885B1FFB43DE5F2DA Android/Spy.AhRat.A AhRat backdoor.
C0EBCC9A10459497F5E74AC5097C8BD364D93430 Android/Spy.Android.CKN AhMyth‑based mostly backdoor.
0E7F5E043043A57AC07F2E6BA9C5AEE1399AAD30 Android/Spy.Android.CKN AhMyth‑based mostly backdoor.


IP Supplier First seen Particulars
34.87.78[.]222 Namecheap 2022-12-10 order.80876dd5[.]store C&C server.
13.228.247[.]118 Namecheap 2021-10-05 80876dd5[.]store:22222 C&C server.


This desk was constructed utilizing version 12 of the MITRE ATT&CK framework.

Tactic ID Title Description
Persistence T1398 Boot or Logon Initialization Scripts AhRat receives the BOOT_COMPLETED broadcast intent to activate at machine startup.
T1624.001 Occasion Triggered Execution: Broadcast Receivers AhRat performance is triggered if one in all these occasions happens: CONNECTIVITY_CHANGE, or WIFI_STATE_CHANGED.
Discovery T1420 File and Listing Discovery AhRat can listing accessible information on exterior storage.
T1426 System Data Discovery AhRat can extract details about the machine, together with machine ID, nation, machine producer and mode, and customary system info.
Assortment T1533 Information from Native System AhRat can exfiltrate information with explicit extensions from a tool.
T1429 Audio Seize AhRat can document surrounding audio.
Command and Management T1437.001 Utility Layer Protocol: Internet Protocols AhRat makes use of HTTPS to speak with its C&C server.
Exfiltration T1646 Exfiltration Over C2 Channel AhRat exfiltrates stolen information over its C&C channel.


Leave a Reply

Your email address will not be published. Required fields are marked *