A cybersecurity company says a popular Android screen recording app that got tens of thousands of downloads on the Google app store after it started spying on its users, including stealing microphone recordings and other documents from the user’s phone.
ESET research found that the Android app, “iRecorder — Screen Recorder,” introduced malicious code as an app update nearly a year after it was first listed on Google Play. The code, according to ESET, allows the app to secretly upload one minute of ambient audio from the device’s microphone every 15 minutes, as well as exfiltrate documents, web pages and media files from on the user’s phone.
The app is no longer listed on Google Play. If you have installed the app, you need to delete it from your device. By the time the malicious app was removed from the app store, it had racked up more than 50,000 downloads.
ESET calls the malicious code AhRat, a customized version of an open-source remote access trojan called AhMyth. Remote access trojans (or RATs) exploit broad access to the victim’s device and often include remote control, but also function similarly to spyware and stalkerware.

A screenshot of iRecorder listed on Google Play as it was cached by the Internet Archive in 2022. Image Credits: TechCrunch (screenshot)
Lukas Stefanko, an ESET security researcher who discovered the malware, said in a blog post that the iRecorder app had no malicious features when it first launched in September 2021.
When the malicious AhRat code is pushed as an app update to existing users (and new users who download the app directly from Google Play), the app begins to secretly access the user’s microphone and upload the user’s phone data to a server controlled by the malware. operator. Stefanko said the audio recording “fits into the already defined app permissions model,” because the app is naturally designed to capture the device’s screen recording and request access to the device’s microphone.
It is not clear who planted the malicious code – whether the developer or someone else – or for what reason. TechCrunch emailed the developer’s email address that was on the app’s list before it was pulled, but has not heard back.
Stefanko said the malicious code was likely part of a wider espionage campaign – where hackers work to collect information on targets of their choosing – sometimes for governments or for financial reasons. He said it’s “rare for a developer to upload a legitimate app, wait almost a year, and then update it with malicious code.”
It’s not often that bad apps sneak into the app stores, nor is this the first time AhMyth has made its way onto Google Play. Google and Apple screen apps for malware before listing them for download, and sometimes act proactively to pull apps if they could put users at risk. Last year, Google said it prevented more than 1.4 million privacy-infringing applications from reaching Google Play.