A legitimate Android app on the Google Play Store with over 50,000 downloads has sneakily implemented a new malware known as “AhRat,” and it can sneakily record audio and steal private files without the user’s knowledge.
Detected by ESET researchers, the iRecorder – Screen Recorder app did not have any malicious code when it was uploaded in September 2021. Less than a year later, the app later received an update with an AhMyth RAT (remote access trojan) malware in August 2022.
The new AhRat malware allows the once trusted app to use the Android device’s microphone to record surroundings and upload it to the attacker’s command and control (C&C) server. According to the report, it also “exfiltrate files with extensions representing saved web pages, images, audio, video, and document files.” ESET suggests that the malicious code could be part of an espionage campaign.
Android owners who downloaded the iRecorder app before it was infected with malicious code would be exposed to the AhRat malware. If they updated the app, the malware would take effect.
AhMyth-based Android malware has been detected on the official Google Play Store before, as ESET researchers discovered a similar trojanized-app in 2019. This spyware got past Google’s strict app-vetting process twice.
“The AhRat research serves as a good example of how an initially legitimate application can transform into a malicious one, even after many months, spying on its users and compromising their privacy,” ESET researcher Lukas Stefanko states. “While it is possible that the app developer had intended to build up a user base before compromising their Android devices through an update or that a malicious actor introduced this change in the app; so far, we have no evidence for either of these hypotheses.”
The Google Play security team were notified of the post-infected iRecorder app and have removed it from the store. While the ESET team state that the AhRat malware hasn’t been detected anywhere else, the app is available on third-party app stores. Interestedly, the iRecorder app developer also has other apps available, but the malware has not been detected on them.
With over 50,000 downloads, it’s a good idea to check if you have the iRecorder app downloaded. If you do, you’ll want to get rid of it post-haste.
How to remove AhRat malware on Android
The AhRat Android malware hasn’t been detected on any other apps, but since it popped up in a legitimate app, there’s a chance it could sneak its way onto similar apps found on the Google Play Store or other third-party app stores.
If you find any signs of the AhRat malware in an app (or any type of malware), here’s a way to get rid of dangerous apps on your Android device safely. For more ways, check out our guide on how to remove malware on Android.
Signs of malware on Android
There are telltale signs that your device is under attack, which may include your device’s browser redirecting you to different web pages and installing unwanted toolbars, extensions or plugins.
- Your device is slower than usual and crashes frequently.
- Your browser is slower than usual and crashes frequently.
- Browsing through websites takes longer.
- You need to recharge your device more often.
- Apps take longer to load.
- There’s an unknown app or software on your device you didn’t download.
Safely remove an app on Android
- On your Android, press the necessary buttons to turn off your device.
- Tap and hold the Power off icon.
- Press OK to reboot to safe mode. This will restart your device.
- Once restarted, head to Settings.
- Navigate to Apps.
- Select any suspicious apps you wish to remove.
- Tap Uninstall. Restart your device to go back to normal mode.
Clear cache on Android
Clearing your browser and app cache on your device will help minimize the effects of malware. Apps and browsers store your online activities, and malicious software like adware can use this to cause more harm. Clearing cache can also help clear up space on your Android, boosting the device’s performance.
- To clear app cache, head to Settings.
- Select Storage and choose Apps.
- Select an app.
- Tap Clear cache.
Many Android owners use Google Chrome as their default browser. Here’s how to clear cache in Chrome on Android.
- On your Android, open Chrome.
- Tap the three vertical dots in the upper-right corner.
- Select Settings.
- Tap Privacy and security.
- Select Clear browsing data.
- To just clear cache, uncheck Browsing history and Cookies and site data.
- Tap Clear data.
Use antivirus software to protect your device
Simply put, the best way to get rid of malware is to use the best antivirus software.
There are many free malware removal apps that will dispatch malicious software on your device, but it’s a good idea to make sure these tools are trustworthy, as hackers can also disguise these apps on the Google Play Store to deploy even more malware.
The best antivirus apps come with a suite of security features that can get rid of virus, malware, ransomware, spyware or any malicious software that burrows into your Android. Some antivirus software, such as Bitdefender, offers security subscriptions specifically for Android, making it a more cost-effective option for those that only need Android protection.
We also recommend free apps from known cybersecurity companies, including Avast One, AVG and Malwarebytes Mobile Security. These will detect and remove malware. Check out our thoughts on each antivirus below.