Trojanized Android Ahmyth RAT spreads via legitimate apps


SonicWall Capture Labs Threats Research team observed an Android Remote Administration Tool (RAT) named Ahmyth which is being trojanized into other Android apps and is getting distributed in the wild. Upon infecting an Android device this RAT can send sensitive information present on the device like SMS and call logs as well as perform functions like taking a picture, sending a text message or record audio via the microphone.

After obtaining a couple of malicious RAT samples we investigated further revealing the origins of this RAT. We found a Github repository that hosts the code for this RAT –

This RAT was released in 2017 and supports multiple Operating Systems:

The author claims that this was developed for educational purposes (as highlighted on Github) but clearly someone is spreading this RAT for their own malicious motives, more on that later.

Inside Ahmyth

This RAT contains two components:

  • Client side component – which runs on the victim’s Android device
  • Server side component – this runs on the computer which is used to monitor the victim and send commands to the infected device

Upon installing and running the server component we see the opening screen which shows a list of victims, currently in the image below there are none since we haven’t infected any victims yet.

In-order to report back to the server we add the server’s IP address in the source, once done we can build an apk which will report back to our machine:

Now the apk is ready to infect a device and report back to the server. Upon installing on a device the apk reports back to the server and we can see the victim’s entry on the dashboard:

The attacker can now command the RAT to perform a number of functions, few of them are highlighted below:

  • View Call logs
  • View and send SMS
  • View contacts
  • View GPS location of the device
  • View files on the device

We obtained samples with different source location, this is the address where the apk will report back to:


Spreading Ahmyth further

Malicious apk’s spread mainly via the following two routes:

  • As text message with a link to install the malicious apk
  • Email message containing a link to install the app

Additionally an attacker can spread this RAT via the Ahmyth control server by:

  • Sending a text message from the infected device to one of the victims contacts. For the new target it would appear as a text message from someone he knows, thereby there is a higher chance that he will trust this message

Another way to spread is this RAT is to trojanize it into something benign. Malware writers have already started combining Ahmyth with other clean Android apk’s, we identified a few of them:

  • Minecraft -com.mojang.minecraftpe
  • YouTube Downloader

Below is a comparison of the code structure found in the original Ahmyth client apk and a few trojanized samples in the wild:

Overall this looks like another case where a publicly available tool has been used for personal reasons with a malicious intent. We can expect more trojanized Android samples with a hidden Ahmyth RAT in the near future.

Sonicwall Capture Labs provides protection against this threat with the following signatures:

  • GAV: AndroidOS.AhRat.INFSTLR (Trojan)
  • GAV: AndroidOS.AhRat.INFSTLR_2 (Trojan)
  • GAV: AndroidOS.AhRat.INFSTLR_3 (Trojan)

Basic details about the samples analyzed:

    • Package name: ahmyth.mine.king.ahmyth
    • MD5: 8a630c3f3d441f012778efac3d154b90


    • Package name: com.mojang.minecraftpe
    • MD5: c552f2565df8b793fa68870309489b72


    • Package name:
    • MD5: c1f5e9e560388d5aeedc71628967e119


  • Package name: com.apkhere.flashlight
  • MD5: 2b648af46eb081d896768a9b3413e3b4


Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.