Google Play Detects Spy Trojan Ahrat in Screen Recording

Eset cybersecurity experts revealed New Spy Trojan (Rat) on Google Play, which was hidden in the application for recording the Android screen with tens of thousands of installations.

The application called “IRECORDER – Screen Recorder” appeared in the store in September 2021, but it was probably infected through a malicious update released almost a year after the initial publication, in August 2022. At the time of detection of the application by specialists and removal from Google Play, it had more than 50 thousand installations.

screenshot of the infected application

The name and purpose of the application made it possible to request a resolution on sound recording and access to files without suspicion, as this corresponded to the expected capabilities of the screen for recording the screen.

The malicious software, which ESET called AHRAT, is based on the open source code Android Rat, known as Ahmyth. It has a wide range of capabilities, including, but not limited to: tracking the location of infected devices, the theft of calls, contacts and text messages, sending SMS messages, shooting photos and recording of background sound.

During a more thorough study, ESET experts found that the malicious application itself used only part of the RAT capabilities, since it was used only to create and display the records of the surrounding sound and theft of files with certain extensions, which indicates potential spy activity.

This is far from the first case of penetration of malicious in the basis of AHMYTH in Google Play. ESET researchers back in 2019 Details about another infected AHMYTH Appendix, which twice deceived the process of checking Google applications to disguise yourself under the application for stream radio.

“Ahmyth previously open source code was used by Transpart Tribe hackers, also known as the Apt36 – a cyberspion group known for its widespread use of social engineering methods and aimed at government and military organizations in South Asia. Nevertheless, we cannot attribute the current model AHMYTH of any particular grouping of attackers, ”said Lucas Stefanko, explorer Eset.

/Reports, release notes, official announcements.