We are talking about “iRecorder – Screen Recorder” screen recording application. At the time of analysis, it has been downloaded more than 50,000 on Google Play. in one of its updates a remote access trojan introduced.

what is known

iRecorder – Screen Recorder / Photo 24 Channel / Screenshot ESET

As the app was designed to record screen, it made it easy for attackers to request permission to record audio and access files on infected devices without arousing victims’ suspicions.

The virus added in the update is RAT AhRat, based on the source code of open source AhMyth. But the code from AhMyth was heavily modified and the developer clearly knew what he was doing.

The first malicious version of iRecorder contained parts of the AhMyth RAT malicious code that were copied without any modification. The second version of the malicious code, which we call AhRat, was also available on Google Play, where AhMyth was already customized: it had a code and a backdoor for communication with the C&C server. At the time of writing this post, we could not find AhRat in any other app on Google Play or anywhere else.
– writes analysts.

AhRat malware has a wide range of capabilities such as tracking the location of infected devices, playing call logs, contacts and text messages, sending SMS messages, recording background sounds and taking photos.

ESET experts note that the malicious screen recording application uses only a fraction of AhRat’s capabilities: every 15 minutes, it recorded and transmitted background sounds to a remote server (recording took about a minute), and also stole files with certain extensions, which prompted researchers to led me to think about cyber espionage. Despite this, they found no evidence that the practice was trying to be imposed on a particular group of people.