The AhRat Remote Access Trojan Targets Android Device and Their Stored Data

AhRat is a malicious Remote Access Trojan (RAT) that primarily targets Android devices. It was distributed through a trojanized screen recording application disguised as a legitimate app on the Google Play store. The original version of the app uploaded to the store did not have any malicious characteristics, but later on, threat actors manipulated its functionality and introduced malicious components into it.

AhRat is based on another RAT called AhMyth, indicating a connection between the two. There are at least two versions of the AhRat malicious code in existence. The trojanized app used to distribute AhRat is called iRecorder - Screen Recorder.

AhRat Infiltrating Android Devices via Trojanized Apps

While the malicious iRecorder app appears to provide genuine screen recording capabilities, it also possesses additional malicious functionalities. For instance, it may record audio from the device's microphone, and then transmit that recording to a command and control (C&C) server run by a hacker. This allows the attacker to eavesdrop on conversations or gather sensitive audio information.

Moreover, the app has the ability to extract and transfer various types of files from the compromised device. It can retrieve saved web pages, images, audio, video, document files, as well as compressed archives containing multiple files. This suggests that AhRat is involved in espionage activities, as it specifically targets the pilfering of files with certain extensions.

The trojanized app containing the AhRat code has been removed from the Google Play Store. However, there is a possibility that it might be uploaded to unofficial websites or alternative app stores.

AhRat's Operations and Communication via Command and Control Server Interactions

Once AhRat is installed on a device, it establishes communication with the command and control (C&C) server. It transmits essential device details and retrieves encryption keys along with an encrypted configuration file. This configuration file contains various commands and configuration details that govern AhRat's behavior on the targeted device.

AhRat sends regular requests to the C&C server every 15 minutes to obtain an updated configuration file. This file includes instructions such as the directory for extracting user data, specific file types to extract, a file size threshold, microphone recording duration, and the interval between recordings.

It is worth noting that the decrypted configuration file contains a larger set of commands than what AhRat is currently programmed to execute. This suggests that AhRat may be a streamlined version compared to its initial release, which only contained unaltered malicious code from the AhMyth RAT. However, AhRat remains capable of extracting files from the compromised device and recording audio through the device's microphone.