ESET, a cybersecurity firm, has discovered a new Android Remote Access Trojan (RAT) called AhRat that is based on the open-source AhMyth Android RAT. The malware was discovered on a trojanized app called iRecorder – Screen Recorder, which had over 50,000 installs on the Google Play store. According to ESET’s blog post, the app had initially been uploaded to the store without any malicious functionality back in September 2021. However, it appears that a malicious update, version 1.3.8, was introduced in August 2022. AhRat is capable of exfiltrating files with specific extensions and recording surrounding audio from the device’s microphone, which suggests that the malware is part of an espionage campaign.
As a Google App Defense Alliance partner, ESET detected the trojanized app and named the AhMyth-based malware contained within it AhRat. Such malware is usually very hard to detect, but ESET’s expertise enabled them to counter the attack. Additionally, the app was removed from the Google Play store after ESET alerted Google’s Play security team.
According to ESET, it is quite uncommon for a developer to upload a legitimate app, wait almost a year, and then update it with malicious code. Furthermore, AhRat is based on the potent AhMyth RAT, which is capable of various malicious functions, as mentioned earlier.
During their analysis, ESET identified two versions of malicious code based on the AhMyth RAT. The first version contained parts of the AhMyth RAT’s malicious code copied without any modifications. However, the second malicious version, named AhRat, was also available on Google Play, and its code was customized. After installation, AhRat starts sending basic device information to the C&C server and receives encryption keys and an encrypted configuration file. Following this, AhRat pings the C&C server every 15 minutes, requesting a new configuration file.
As mentioned earlier, AhRat is capable of exfiltrating files from the device and recording audio using the device’s microphone. It can execute only six of the 18 commands it receives from the C&C server, as the implementation for most of these commands is not included in the app’s code. Despite this, AhRat is still capable of exfiltrating files and recording audio from the device.
In conclusion, ESET’s discovery of AhRat is a good example of how a legitimate application can be transformed into malware. To counter such attacks, it is essential for users to be cautious when downloading applications from official stores like Google Play, as even these stores may contain malicious apps. Additionally, users should keep their devices up to date with the latest security patches and use a reliable anti-virus software.