In the digital world, what is useful today can be harmful tomorrow. Unfortunately, this is exactly what happened with iRecorder – Screen Recorder. With over 50,000 installs, this screen recording Android app was released as a legitimate app in September 2021.
However, this app contains a new Android Remote Access Trojan (RAT) that includes: oh myth. This open-source remote administration tool was discovered May 23, 2023 by cybersecurity vendor ESET to access information data from Android devices.
Dubbed “AhRat” by ESET researchers, the RAT can extract files with specific extensions and microphone recordings and upload them to the attacker’s command and control (C2) server. This malicious code may have been added when the app was updated to version 1.3.8, which became available in August 2022.
ESET researchers noted that while there are many malicious Android apps out there, adding malicious code to legitimate apps is much more rare.
“Certain malicious behavior of the application may indicate involvement in espionage,” the research report states.
AhMyth is used by the Transparent Tribe, also known as APT36. The Transparent Tribe is a cyber espionage group known for its extensive use of social engineering techniques and targeting governments and military organizations in South Asia.
“Nevertheless, the current samples cannot be attributed to any particular group, and there is no indication that they were created by a known persistent threat (APT) group,” the researchers said in their report. claimed in
The Google Play security team has removed the app from the store after being notified by ESET, a member of the Google App Defense Alliance.
“However, it is important to note that this app may also be found in alternative unofficial Android markets. In addition, the iRecorder developer also offers other applications on Google Play, which contain malicious intent. It does not contain code with
Researchers have yet to detect AhRat anywhere else in the world.
