Android app breaking bad: From legitimate screen recording to file
ESET researchers discover AhRat – a new Android RAT based on AhMyth – that exfiltrates files and records audio
ESET researchers have discovered a trojanized Android app that had been available on the Google Play store with over 50,000 installs. The app, named iRecorder – Screen Recorder, was initially uploaded to the store without malicious functionality on September 19th, 2021. However, it appears that malicious functionality was later implemented, most likely in version 1.3.8, which was made available in August 2022.
Key points of the blogpost:
- As a Google App Defense Alliance partner, we detected a trojanized app available on the Google Play Store; we named the AhMyth-based malware it contained AhRat.
- Initially, the iRecorder app did not have any harmful features. What is quite uncommon is that the application received an update containing malicious code quite a few months after its launch.
- The application’s specific malicious behavior, which involves extracting microphone recordings and stealing files with specific extensions, potentially indicates its involvement in an espionage campaign.
- The malicious app with over 50,000 downloads was removed from Google Play after our alert; we have not detected AhRat anywhere else in the wild.
It is rare for a developer to upload a legitimate app, wait almost a year, and then update it with malicious code. The malicious code that was added to the clean version of iRecorder is based on the open-source AhMyth Android RAT (remote access trojan) and has been customized into what we named AhRat.
Besides this one case, we have not detected AhRat anywhere else in the wild. However, this is not the first time that AhMyth-based Android malware has been available on Google Play; we previously published our research on such a trojanized app in 2019. Back then, the spyware, built on the foundations of AhMyth, circumvented Google’s app-vetting process twice, as a malicious app providing radio streaming.
Overview of the app
Aside from providing legitimate screen recording functionality, the malicious iRecorder can record surrounding audio from the device’s microphone and upload it to the attacker’s command and control (C&C) server. It can also exfiltrate files with extensions representing saved web pages, images, audio, video, and document files, and file formats used for compressing multiple files, from the device. The app’s specific malicious behavior – exfiltrating microphone recordings and stealing files with specific extensions – tends to suggest that it is part of an espionage campaign. However, we were not able to attribute the app to any particular malicious group.
As a Google App Defense Alliance partner, ESET identified the most recent version of the application as malicious and promptly shared its findings with Google. Following our alert, the app was removed from the store.
The iRecorder application was initially released on the Google Play Store on September 19th, 2021, offering screen recording functionality; at that time, it contained no malicious features. However, around August 2022 we detected that the app’s developer included malicious functionality in version 1.3.8. As illustrated in Figure 1, by March 2023 the app had amassed over 50,000 installations.
Figure 1. The trojanized iRecorder app
However, Android users who had installed an earlier version of iRecorder (prior to version 1.3.8), which lacked any malicious features, would have unknowingly exposed their devices to AhRat, if they subsequently updated the app either manually or automatically, even without granting any further app permission approval.
Following our notification regarding iRecorder’s malicious behavior, the Google Play security team removed it from the store. However, it is important to note that the app can also be found on alternative and unofficial Android markets. The iRecorder developer also provides other applications on Google Play, but they don’t contain malicious code.
Previously, the open-source AhMyth was employed by Transparent Tribe, also known as APT36, a cyberespionage group known for its extensive use of social engineering techniques and targeting government and military organizations in South Asia. Nevertheless, we cannot ascribe the current samples to any specific group, and there are no indications that they were produced by a known advanced persistent threat (APT) group.
During our analysis, we identified two versions of malicious code based on AhMyth RAT. The first malicious version of iRecorder contained parts of AhMyth RAT’s malicious code, copied without any modifications. The second malicious version, which we named AhRat, was also available on Google Play, and its AhMyth code was customized, including the code and communication between the C&C server and the backdoor. By the time of this publication, we have not observed AhRat in any other Google Play app or elsewhere in the wild, iRecorder being the only app that has contained this customized code.
AhMyth RAT is a potent tool, capable of various malicious functions, including exfiltrating call logs, contacts, and text messages, obtaining a list of files on the device, tracking the device location, sending SMS messages, recording audio, and taking pictures. However, we observed only a limited set of malicious features derived from the original AhMyth RAT in both versions analyzed here. These functionalities appeared to fit within the already defined app permissions model, which grants access to files on the device and permits recording of audio. Notably, the malicious app provided video recording functionality, so it was expected to ask for permission to record audio and store it on the device, as shown in Figure 2. Upon installation of the malicious app, it behaved as a standard app without any special extra permission requests that might have revealed its malicious intentions.
Figure 2. Permissions requested by the iRecorder app
After installation, AhRat starts communicating with the C&C server by sending basic device information and receiving encryption keys and an encrypted configuration file, as seen in Figure 3. These keys are used to encrypt and decrypt the configuration file and some of the exfiltrated data, such as the list of files on the device.
Figure 3. AhRat’s initial C&C communication
After the initial communication, AhRat pings the C&C server every 15 minutes, requesting a new configuration file. This file contains a range of commands and configuration information to be executed and set on the targeted device, including the file system location from which to extract user data, the file types with particular extensions to extract, a file size limit, the duration of microphone recordings (as set by the C&C server; during analysis it was set to 60 seconds), and the interval of time to wait between recordings – 15 minutes – which is also when the new configuration file is received from the C&C server.
Interestingly, the decrypted configuration file contains more commands than AhRat is capable of executing, as certain malicious functionality has not been implemented. This may indicate that AhRat is a lightweight version similar to the initial version that contained only unmodified malicious code from the AhMyth RAT. Despite this, AhRat is still capable of exfiltrating files from the device and recording audio using the device’s microphone.
Based on the commands received in the configuration from the C&C server, AhRat should be capable of executing 18 commands. However, the RAT can execute only the six commands from the list below marked in bold and with an asterisk:
The implementation for most of these commands is not included in the app’s code, but most of their names are self-explanatory, as shown also in Figure 4.
Figure 4. Decrypted configuration file with a list of commands
During our analysis, AhRat received commands to exfiltrate files with extensions representing web pages, images, audio, video, and document files, and file formats used for compressing multiple files. The file extensions are as follows: zip, rar, jpg, jpeg, jpe, jif, jfif, jfi, png, mp3, mp4, mkv, 3gp, m4v, mov, avi, gif, webp, tiff, tif, heif, heic, bmp, dib, svg, ai, eps, pdf, doc, docx, html, htm, odt, pdf, xls, xlsx, ods, ppt, pptx, and txt.
These files were limited to a size of 20 MB and were located in the Download directory /storage/emulated/0/Download.
Located files were then uploaded to the C&C server, as seen in Figure 5.
Figure 5. File exfiltration to C&C server
The AhRat research serves as a good example of how an initially legitimate application can transform into a malicious one, even after many months, spying on its users and compromising their privacy. While it is possible that the app developer had intended to build up a user base before compromising their Android devices through an update or that a malicious actor introduced this change in the app; so far, we have no evidence for either of these hypotheses.
Fortunately, preventative measures against such malicious actions have already been implemented in Android 11 and higher versions in the form of App hibernation. This feature effectively places apps that have been dormant for several months into a hibernation state, thereby resetting their runtime permissions and preventing malicious apps from functioning as intended. The malicious app was removed from Google Play after our alert, which confirms that the need for protection to be provided through multiple layers, such as ESET Mobile Security, remains essential for safeguarding devices against potential security breaches.
The remotely controlled AhRat is a customization of the open-source AhMyth RAT, which means that the authors of the malicious app invested significant effort into understanding the code of both the app and the back end, ultimately adapting it to suit their own needs.
AhRat’s malicious behavior, which includes recording audio using the device’s microphone and stealing files with specific extensions, might indicate that it was part of an espionage campaign. However, we have yet to find any concrete evidence that would enable us to attribute this activity to a particular campaign or APT group.
|SHA-1||Package name||ESET detection name||Description|
|34.87.78[.]222||Namecheap||2022-12-10||order.80876dd5[.]shop C&C server.|
|13.228.247[.]118||Namecheap||2021-10-05||80876dd5[.]shop:22222 C&C server.|
MITRE ATT&CK Techniques
This table was built using version 12 of the MITRE ATT&CK framework.
|Persistence||T1398||Boot or Logon Initialization Scripts||AhRat receives the BOOT_COMPLETED broadcast intent to activate at device startup.|
|T1624.001||Event Triggered Execution: Broadcast Receivers||AhRat functionality is triggered if one of these events occurs: CONNECTIVITY_CHANGE, or WIFI_STATE_CHANGED.|
|Discovery||T1420||File and Directory Discovery||AhRat can list available files on external storage.|
|T1426||System Information Discovery||AhRat can extract information about the device, including device ID, country, device manufacturer and mode, and common system information.|
|Collection||T1533||Data from Local System||AhRat can exfiltrate files with particular extensions from a device.|
|T1429||Audio Capture||AhRat can record surrounding audio.|
|Command and Control||T1437.001||Application Layer Protocol: Web Protocols||AhRat uses HTTPS to communicate with its C&C server.|
|Exfiltration||T1646||Exfiltration Over C2 Channel||AhRat exfiltrates stolen data over its C&C channel.|