S1095 AhRat
AhRat is an Android remote access tool based on the open-source AhMyth remote access tool. AhRat initially spread in August 2022 on the Google Play Store via an update containing malicious code to the previously benign application, “iRecorder – Screen Recorder,” which itself was released in September 2021.1
| Item | Value |
|---|---|
| ID | S1095 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 18 December 2023 |
| Last Modified | 22 April 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1437 | Application Layer Protocol | - |
| mobile | T1437.001 | Web Protocols | AhRat can communicate with the C2 using HTTPS requests.1 |
| mobile | T1429 | Audio Capture | AhRat can record audio using a device’s microphone.1 |
| mobile | T1398 | Boot or Logon Initialization Scripts | AhRat can register with the BOOT_COMPLETED broadcast to start when the device turns on.1 |
| mobile | T1533 | Data from Local System | AhRat can find and exfiltrate files with certain extensions, such as .jpg, .mp4, .html, .docx, and .pdf.1 |
| mobile | T1521 | Encrypted Channel | AhRat can communicate with the C2 using HTTPS requests.1 |
| mobile | T1624 | Event Triggered Execution | - |
| mobile | T1624.001 | Broadcast Receivers | AhRat can register with the CONNECTIVITY_CHANGE and WIFI_STATE_CHANGED broadcast events to trigger further functionality.1 |
| mobile | T1646 | Exfiltration Over C2 Channel | AhRat can exfiltrate collected data to the C2, such as audio recordings and files.1 |
| mobile | T1420 | File and Directory Discovery | AhRat can enumerate files on external storage.1 |
| mobile | T1430 | Location Tracking | AhRat can track the device’s location.1 |
| mobile | T1406 | Obfuscated Files or Information | AhRat can use an encryption key received from its C2 to encrypt and decrypt configuration files and exfiltrated data.1 |
| mobile | T1636 | Protected User Data | - |
| mobile | T1636.002 | Call Log | AhRat can collect the device’s call log.1 |
| mobile | T1636.003 | Contact List | AhRat can collect the device’s contact list.1 |
| mobile | T1513 | Screen Capture | AhRat can record the screen.1 |
| mobile | T1582 | SMS Control | AhRat can send SMS messages.1 |
| mobile | T1426 | System Information Discovery | AhRat can obtain device info such as manufacturer, device ID, OS version, and country.1 |