{ "id": "28804ee4-3d59-44a8-9fa8-542452b68e6f", "created_at": "2026-04-06T00:16:14.437203Z", "updated_at": "2026-04-10T13:11:22.900664Z", "deleted_at": null, "sha1_hash": "3ff0f61c0cb39111fb387626ad3210bd8701164a", "title": "Android app breaking bad: From legitimate screen recording to file exfiltration within a year", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 655769, "plain_text": "Android app breaking bad: From legitimate screen recording to file\r\nexfiltration within a year\r\nBy Lukas Stefanko\r\nArchived: 2026-04-05 19:26:28 UTC\r\nESET researchers have discovered a trojanized Android app that had been available on the Google Play store with over\r\n50,000 installs. The app, named iRecorder - Screen Recorder, was initially uploaded to the store without malicious\r\nfunctionality on September 19th, 2021. However, it appears that malicious functionality was later implemented, most likely\r\nin version 1.3.8, which was made available in August 2022.\r\nKey points of the blogpost:\r\nAs a Google App Defense Alliance partner, we detected a trojanized app available on the Google Play Store; we\r\nnamed the AhMyth-based malware it contained AhRat.\r\nInitially, the iRecorder app did not have any harmful features. What is quite uncommon is that the application\r\nreceived an update containing malicious code quite a few months after its launch.\r\nThe application’s specific malicious behavior, which involves extracting microphone recordings and stealing files\r\nwith specific extensions, potentially indicates its involvement in an espionage campaign.\r\nThe malicious app with over 50,000 downloads was removed from Google Play after our alert; we have not detected\r\nAhRat anywhere else in the wild.\r\nIt is rare for a developer to upload a legitimate app, wait almost a year, and then update it with malicious code. The\r\nmalicious code that was added to the clean version of iRecorder is based on the open-source AhMyth Android RAT (remote\r\naccess trojan) and has been customized into what we named AhRat.\r\nBesides this one case, we have not detected AhRat anywhere else in the wild. However, this is not the first time that\r\nAhMyth-based Android malware has been available on Google Play; we previously published our research on such a\r\ntrojanized app in 2019. Back then, the spyware, built on the foundations of AhMyth, circumvented Google’s app-vetting\r\nprocess twice, as a malicious app providing radio streaming.\r\nOverview of the app\r\nAside from providing legitimate screen recording functionality, the malicious iRecorder can record surrounding audio from\r\nthe device’s microphone and upload it to the attacker’s command and control (C\u0026C) server. It can also exfiltrate files with\r\nextensions representing saved web pages, images, audio, video, and document files, and file formats used for compressing\r\nmultiple files, from the device. The app’s specific malicious behavior – exfiltrating microphone recordings and stealing files\r\nwith specific extensions – tends to suggest that it is part of an espionage campaign. However, we were not able to attribute\r\nthe app to any particular malicious group.\r\nAs a Google App Defense Alliance partner, ESET identified the most recent version of the application as malicious and\r\npromptly shared its findings with Google. Following our alert, the app was removed from the store.\r\nDistribution\r\nThe iRecorder application was initially released on the Google Play Store on September 19th, 2021, offering screen\r\nrecording functionality; at that time, it contained no malicious features. However, around August 2022 we detected that the\r\napp’s developer included malicious functionality in version 1.3.8. As illustrated in Figure 1, by March 2023 the app had\r\namassed over 50,000 installations.\r\nhttps://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/\r\nPage 1 of 7\n\nhttps://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/\r\nPage 2 of 7\n\nFigure 1. The trojanized iRecorder app\r\nHowever, Android users who had installed an earlier version of iRecorder (prior to version 1.3.8), which lacked any\r\nmalicious features, would have unknowingly exposed their devices to AhRat, if they subsequently updated the app either\r\nmanually or automatically, even without granting any further app permission approval.\r\nFollowing our notification regarding iRecorder’s malicious behavior, the Google Play security team removed it from the\r\nstore. However, it is important to note that the app can also be found on alternative and unofficial Android markets. The\r\niRecorder developer also provides other applications on Google Play, but they don’t contain malicious code.\r\nAttribution\r\nPreviously, the open-source AhMyth was employed by Transparent Tribe, also known as APT36, a cyberespionage group\r\nknown for its extensive use of social engineering techniques and targeting government and military organizations in South\r\nAsia. Nevertheless, we cannot ascribe the current samples to any specific group, and there are no indications that they were\r\nproduced by a known advanced persistent threat (APT) group.\r\nAnalysis\r\nDuring our analysis, we identified two versions of malicious code based on AhMyth RAT. The first malicious version of\r\niRecorder contained parts of AhMyth RAT’s malicious code, copied without any modifications. The second malicious\r\nversion, which we named AhRat, was also available on Google Play, and its AhMyth code was customized, including the\r\ncode and communication between the C\u0026C server and the backdoor. By the time of this publication, we have not observed\r\nAhRat in any other Google Play app or elsewhere in the wild, iRecorder being the only app that has contained this\r\ncustomized code.\r\nAhMyth RAT is a potent tool, capable of various malicious functions, including exfiltrating call logs, contacts, and text\r\nmessages, obtaining a list of files on the device, tracking the device location, sending SMS messages, recording audio, and\r\ntaking pictures. However, we observed only a limited set of malicious features derived from the original AhMyth RAT in\r\nboth versions analyzed here. These functionalities appeared to fit within the already defined app permissions model, which\r\ngrants access to files on the device and permits recording of audio. Notably, the malicious app provided video recording\r\nfunctionality, so it was expected to ask for permission to record audio and store it on the device, as shown in Figure 2. Upon\r\ninstallation of the malicious app, it behaved as a standard app without any special extra permission requests that might have\r\nrevealed its malicious intentions.\r\nFigure 2. Permissions requested by the iRecorder app\r\nAfter installation, AhRat starts communicating with the C\u0026C server by sending basic device information and receiving\r\nencryption keys and an encrypted configuration file, as seen in Figure 3. These keys are used to encrypt and decrypt the\r\nconfiguration file and some of the exfiltrated data, such as the list of files on the device.\r\nhttps://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/\r\nPage 3 of 7\n\nFigure 3. AhRat’s initial C\u0026C communication\r\nAfter the initial communication, AhRat pings the C\u0026C server every 15 minutes, requesting a new configuration file. This\r\nfile contains a range of commands and configuration information to be executed and set on the targeted device, including the\r\nfile system location from which to extract user data, the file types with particular extensions to extract, a file size limit, the\r\nduration of microphone recordings (as set by the C\u0026C server; during analysis it was set to 60 seconds), and the interval of\r\ntime to wait between recordings – 15 minutes – which is also when the new configuration file is received from the C\u0026C\r\nserver.\r\nInterestingly, the decrypted configuration file contains more commands than AhRat is capable of executing, as certain\r\nmalicious functionality has not been implemented. This may indicate that AhRat is a lightweight version similar to the initial\r\nversion that contained only unmodified malicious code from the AhMyth RAT. Despite this, AhRat is still capable of\r\nexfiltrating files from the device and recording audio using the device’s microphone.\r\nBased on the commands received in the configuration from the C\u0026C server, AhRat should be capable of executing 18\r\ncommands. However, the RAT can execute only the six commands from the list below marked in bold and with an asterisk:\r\nRECORD_MIC*\r\nCAPTURE_SCREEN\r\nLOCATION\r\nCALL_LOG\r\nKEYLOG\r\nNOTIFICATION\r\nSMS\r\nOTT\r\nWIFI\r\nAPP_LIST\r\nPERMISSION\r\nCONTACT\r\nFILE_LIST*\r\nUPLOAD_FILE_AFTER_DATE*\r\nLIMIT_UPLOAD_FILE_SIZE*\r\nUPLOAD_FILE_TYPE*\r\nUPLOAD_FILE_FOLDER*\r\nSCHEDULE_INTERVAL\r\nhttps://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/\r\nPage 4 of 7\n\nThe implementation for most of these commands is not included in the app’s code, but most of their names are self-explanatory, as shown also in Figure 4.\r\nFigure 4. Decrypted configuration file with a list of commands\r\nDuring our analysis, AhRat received commands to exfiltrate files with extensions representing web pages, images, audio,\r\nvideo, and document files, and file formats used for compressing multiple files. The file extensions are as follows: zip, rar,\r\njpg, jpeg, jpe, jif, jfif, jfi, png, mp3, mp4, mkv, 3gp, m4v, mov, avi, gif, webp, tiff, tif, heif, heic, bmp, dib, svg, ai, eps, pdf,\r\ndoc, docx, html, htm, odt, pdf, xls, xlsx, ods, ppt, pptx, and txt.\r\nThese files were limited to a size of 20 MB and were located in the Download directory /storage/emulated/0/Download.\r\nLocated files were then uploaded to the C\u0026C server, as seen in Figure 5.\r\nFigure 5. File exfiltration to C\u0026C server\r\nConclusion\r\nThe AhRat research serves as a good example of how an initially legitimate application can transform into a malicious one,\r\neven after many months, spying on its users and compromising their privacy. While it is possible that the app developer had\r\nintended to build up a user base before compromising their Android devices through an update or that a malicious actor\r\nintroduced this change in the app; so far, we have no evidence for either of these hypotheses.\r\nFortunately, preventative measures against such malicious actions have already been implemented in Android 11 and higher\r\nversions in the form of App hibernation. This feature effectively places apps that have been dormant for several months into\r\na hibernation state, thereby resetting their runtime permissions and preventing malicious apps from functioning as intended.\r\nThe malicious app was removed from Google Play after our alert, which confirms that the need for protection to be provided\r\nhttps://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/\r\nPage 5 of 7\n\nthrough multiple layers, such as ESET Mobile Security, remains essential for safeguarding devices against potential security\r\nbreaches.\r\nThe remotely controlled AhRat is a customization of the open-source AhMyth RAT, which means that the authors of the\r\nmalicious app invested significant effort into understanding the code of both the app and the back end, ultimately adapting it\r\nto suit their own needs.\r\nAhRat’s malicious behavior, which includes recording audio using the device’s microphone and stealing files with specific\r\nextensions, might indicate that it was part of an espionage campaign. However, we have yet to find any concrete evidence\r\nthat would enable us to attribute this activity to a particular campaign or APT group.\r\nIoCS\r\nFiles\r\nSHA-1 Package name ESET detection name Description\r\nC73AFFAF6A9372C12D995843CC98E2ABC219F162 com.tsoft.app.iscreenrecorder Android/Spy.AhRat.A AhRat backdo\r\nE97C7AC722D30CCE5B6CC64885B1FFB43DE5F2DA com.tsoft.app.iscreenrecorder Android/Spy.AhRat.A AhRat backdo\r\nC0EBCC9A10459497F5E74AC5097C8BD364D93430 com.tsoft.app.iscreenrecorder Android/Spy.Android.CKN AhMyth‑base\r\n0E7F5E043043A57AC07F2E6BA9C5AEE1399AAD30 com.tsoft.app.iscreenrecorder Android/Spy.Android.CKN AhMyth‑base\r\nNetwork\r\nIP Provider First seen Details\r\n34.87.78[.]222 Namecheap 2022-12-10 order.80876dd5[.]shop C\u0026C server.\r\n13.228.247[.]118 Namecheap 2021-10-05 80876dd5[.]shop:22222 C\u0026C server.\r\nMITRE ATT\u0026CK Techniques\r\nThis table was built using version 12 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nPersistence\r\nT1398\r\nBoot or Logon\r\nInitialization Scripts\r\nAhRat receives the BOOT_COMPLETED broadcast intent\r\nto activate at device startup.\r\nT1624.001\r\nEvent Triggered\r\nExecution: Broadcast\r\nReceivers\r\nAhRat functionality is triggered if one of these events occurs:\r\nCONNECTIVITY_CHANGE, or\r\nWIFI_STATE_CHANGED.\r\nDiscovery\r\nT1420\r\nFile and Directory\r\nDiscovery\r\nAhRat can list available files on external storage.\r\nT1426\r\nSystem Information\r\nDiscovery\r\nAhRat can extract information about the device, including\r\ndevice ID, country, device manufacturer and mode, and\r\ncommon system information.\r\nCollection\r\nT1533\r\nData from Local\r\nSystem\r\nAhRat can exfiltrate files with particular extensions from a\r\ndevice.\r\nT1429 Audio Capture AhRat can record surrounding audio.\r\nCommand\r\nand Control\r\nT1437.001\r\nApplication Layer\r\nProtocol: Web\r\nProtocols\r\nAhRat uses HTTPS to communicate with its C\u0026C server.\r\nhttps://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/\r\nPage 6 of 7\n\nTactic ID Name Description\r\nExfiltration T1646\r\nExfiltration Over C2\r\nChannel\r\nAhRat exfiltrates stolen data over its C\u0026C channel.\r\nSource: https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/\r\nhttps://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/" ], "report_names": [ "android-app-breaking-bad-legitimate-screen-recording-file-exfiltration" ], "threat_actors": [ { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434574, "ts_updated_at": 1775826682, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3ff0f61c0cb39111fb387626ad3210bd8701164a.pdf", "text": "https://archive.orkl.eu/3ff0f61c0cb39111fb387626ad3210bd8701164a.txt", "img": "https://archive.orkl.eu/3ff0f61c0cb39111fb387626ad3210bd8701164a.jpg" } }