The trojanised app that posed an espionage threat

ESET, a partner of the Google App Defense Alliance, recently discovered a trojanised app on the Google Play Store known as ‘iRecorder – Screen Recorder’. This legitimate app, launched in September 2021, was found to contain an unusual AhMyth-based malware, dubbed AhRat by ESET. Interestingly, this malicious functionality was added several months post-launch, in August 2022.

A notable aspect of this case is that the app remained harmless at the outset, only to receive an update with malicious code months later. The specific functionality of this malware, which included extracting microphone recordings and stealing files with particular extensions, pointed towards a potential espionage campaign.

ESET’s alert led to the app’s removal from the Google Play Store, after it had already seen over 50,000 downloads. Remarkably, ESET has not detected AhRat elsewhere in the wild.

The iRecorder app had been installed on more than 50,000 devices. Its malicious code, based on the open-source AhMyth Android Remote Access Trojan (RAT), was tailored to what ESET termed AhRat. The capabilities of this malicious app included audio recording and stealing files, making it a potential tool for espionage.

AhMyth-based Android malware has had a history with the official Google store, with ESET having previously exposed a trojanised app in 2019. Despite the removal from the Play Store, the iRecorder app can still be found on alternative Android markets. However, other applications provided by the same developer on Google Play have been found to be benign.

ESET researcher Lukáš Štefanko, who investigated the threat, emphasised the example set by the AhRat case. It demonstrates how a seemingly legitimate application can morph into a malicious tool that invades users’ privacy. While it remains unclear whether the app developer intended to compromise user devices after building up a user base, or whether a third party introduced the malicious code, there is currently no definitive evidence supporting either theory.

AhRat, a bespoke adaptation of the open-source AhMyth RAT, indicates considerable effort on the part of the authors to comprehend and tailor the original code to serve their nefarious purposes. In addition to offering legitimate screen recording functionality, the malicious iRecorder app could record audio from the device’s microphone and upload it to a remote server, alongside a range of file types.

Users of earlier iRecorder versions (prior to version 1.3.8) lacking malicious features would have unintentionally exposed their devices to AhRat upon updating the app. Android 11, and higher versions, mitigate such risks through an ‘app hibernation’ feature that effectively disables dormant apps, resetting their runtime permissions.

Following ESET’s alert, the malicious app was removed from Google Play. As Štefanko concludes, this incident underscores the necessity of multi-layered protection systems, such as ESET Mobile Security, in safeguarding devices against potential security breaches.

As of now, ESET Research has found no substantial evidence to attribute this activity to a specific campaign or APT group. The investigation continues.