S1095: AhRat
AhRat is an Android remote access tool based on the open-source AhMyth remote access tool. AhRat initially spread in August 2022 on the Google Play Store via an update containing malicious code to the previously benign application, “iRecorder – Screen Recorder,” which itself was released in September 2021.[1]
Analyst context for executives and security teams
AhRat matters because it shows a mobile risk pattern executives should recognize: a previously benign Android app can become malicious through an update and then operate as a remote access tool. The ATT&CK relationships indicate behaviors that can affect privacy, sensitive data, and operational trust in managed mobile devices, including audio capture, screen capture, location tracking, contact and call log collection, local file discovery, SMS control, persistence triggers, and exfiltration over command-and-control channels.
Executive priority
Treat AhRat as a decision prompt for Android mobile governance rather than only a malware name. Leaders should ask whether the organization can identify installed risky apps, review app permission exposure, preserve mobile telemetry for incident response, and prove to auditors that mobile data access is controlled. Priority is higher for users handling regulated data, executive communications, field operations, or cyber-physical workflows where location, audio, screenshots, SMS, or contact data could create business continuity, privacy, or safety risk.
Technical view
For SOC, IR, and detection engineering teams, the supplied ATT&CK context points to Android-focused validation. Confirm visibility into app inventory and update history, requested and granted permissions, broadcast receiver registration or boot-triggered execution, file and directory enumeration, device/system information access, microphone and screen capture use, location access, SMS permissions or default SMS handler behavior, access to contacts and call logs, and network communications using web protocols or encrypted channels. Because ATT&CK provides no official detection text for AhRat and no tactics are specified, detections should be built from the related techniques and validated against local Android management, mobile threat defense, endpoint, and network telemetry.
Likely telemetry
- Android app inventory, package metadata, install source, and update history
- Application permission requests and grants, especially audio, location, SMS, contacts, call logs, storage, and screen capture-related consent
- Mobile device management or enterprise mobility management compliance state and device posture
- Android broadcast receiver or boot/logon initialization indicators where available
- App behavior showing file and directory enumeration or local data access
Detection direction
- Start with exposure discovery: identify Android devices with the referenced app or suspicious packages matching the AhRat case context, and review recent app updates from trusted app-store sources as well as sideloaded sources if present.
- Tune behavior analytics around combinations of permissions and behaviors rather than any single permission; screen recording, microphone, location, SMS, contacts, and call log access can be legitimate but become material when paired with remote access, discovery, persistence, or exfiltration behavior.
- Validate whether mobile telemetry can link an app to network destinations and data transfer volume; encrypted or web-protocol traffic may reduce payload visibility, so metadata, destination reputation, timing, and app ownership become important.
- Look for persistence-related Android event subscriptions such as boot completion or SMS-triggered behavior where telemetry supports it.
- Use relationship-driven triage: file discovery plus local data access plus exfiltration over C2 should receive higher priority than isolated permission use.
Mitigation priorities
- Prioritize Android app governance: maintain app inventory, restrict unauthorized or unnecessary apps, and review application update risk for devices handling sensitive data.
- Apply least-privilege permission practices through mobile policy where available, especially for microphone, location, SMS, contacts, call logs, storage, and screen capture capabilities.
- Ensure managed devices can produce incident response evidence, including package identity, install/update timeline, permission state, and network activity.
- Segment or monitor mobile device traffic where feasible so suspicious app communications over web protocols or encrypted channels can be investigated.
- Define response playbooks for suspected malicious mobile apps: isolate the device, preserve relevant telemetry, remove or disable the app according to policy, rotate exposed credentials where warranted by evidence, and assess data-access scope.
Analyst notes and limits
The object is an Android malware entry for AhRat, described by ATT&CK as a remote access tool based on AhMyth that spread through a malicious update to the previously benign iRecorder – Screen Recorder app. The strongest defensive value comes from the related techniques: persistence through initialization or broadcast receivers, obfuscation, discovery, audio/screen/location collection, SMS control, contact and call log collection, local data access, encrypted or web-protocol C2, and exfiltration over C2.
ATT&CK provides no official detection text, no aliases, and no tactics for this object in the supplied fields. This take does not assert current exploitation, attribution, customer exposure, or guaranteed detectability. Local conclusions require device inventory, mobile management coverage, permission state, network logs, and incident artifacts from the affected environment.
AhRat
AhRat is an Android remote access tool based on the open-source AhMyth remote access tool. AhRat initially spread in August 2022 on the Google Play Store via an update containing malicious code to the previously benign application, “iRecorder – Screen Recorder,” which itself was released in September 2021.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1437.001 | Web Protocols Sub-technique | AhRat can communicate with the C2 using HTTPS requests.Citationwelivesecurity_ahrat_0523 |
| Mobile | T1533 | Data from Local System | AhRat can find and exfiltrate files with certain extensions, such as .jpg, .mp4, .html, .docx, and .pdf.Citationwelivesecurity_ahrat_0523 |
| Mobile | T1646 | Exfiltration Over C2 Channel | AhRat can exfiltrate collected data to the C2, such as audio recordings and files.Citationwelivesecurity_ahrat_0523 |
| Mobile | T1636.003 | Contact List Sub-technique | AhRat can collect the device’s contact list.Citationwelivesecurity_ahrat_0523 |
| Mobile | T1398 | Boot or Logon Initialization Scripts | AhRat can register with the `BOOT_COMPLETED` broadcast to start when the device turns on.Citationwelivesecurity_ahrat_0523 |
| Mobile | T1430 | Location Tracking | AhRat can track the device’s location.Citationwelivesecurity_ahrat_0523 |
| Mobile | T1636.002 | Call Log Sub-technique | AhRat can collect the device’s call log.Citationwelivesecurity_ahrat_0523 |
| Mobile | T1406 | Obfuscated Files or Information | AhRat can use an encryption key received from its C2 to encrypt and decrypt configuration files and exfiltrated data.Citationwelivesecurity_ahrat_0523 |
| Mobile | T1420 | File and Directory Discovery | AhRat can enumerate files on external storage.Citationwelivesecurity_ahrat_0523 |
| Mobile | T1521 | Encrypted Channel | AhRat can communicate with the C2 using HTTPS requests.Citationwelivesecurity_ahrat_0523 |
| Mobile | T1513 | Screen Capture | AhRat can record the screen.Citationwelivesecurity_ahrat_0523 |
| Mobile | T1429 | Audio Capture | AhRat can record audio using a device’s microphone.Citationwelivesecurity_ahrat_0523 |
| Mobile | T1426 | System Information Discovery | AhRat can obtain device info such as manufacturer, device ID, OS version, and country.Citationwelivesecurity_ahrat_0523 |
| Mobile | T1624.001 | Broadcast Receivers Sub-technique | AhRat can register with the `CONNECTIVITY_CHANGE` and `WIFI_STATE_CHANGED` broadcast events to trigger further functionality.Citationwelivesecurity_ahrat_0523 |
| Mobile | T1582 | SMS Control | AhRat can send SMS messages.Citationwelivesecurity_ahrat_0523 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 4ab251d78412… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
welivesecurity_ahrat_0523
Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.
Open source URL -
[2]
mitre-attack S1095Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.