Google Android App Was Secretly Recording Users For Almost A Year

iRecorder - Screen Recorder, an Android app on the Google Play store, illegally downloaded and transmitted user audio.

By Charlene Badasie | Updated

An Android app initially designed for screen recordings has been exposed for secretly capturing audio and transmitting it to questionable destinations. According to Essential Security against Evolving Threats (ESET) researcher Lukas Stefanko, the app has been available via the Google Play store since September 19, 2021. Approximately 50,000 downloads later, the program turned evil.

However, after an update in August 2022, the Android app, named iRecorder – Screen Recorder, began recording a minute of audio every 15 minutes. These clips were then forwarded to the developer’s server through an encrypted link. “Initially, the iRecorder app did not have any harmful features,” Stefanko wrote in a WeLiveSecurity blog post.

It is extremely rare for a developer to release a legitimate Android app, wait for an extended period of time, and then introduce malicious code through an update. The nefarious code that was added to the clean version of iRecorder is based on the “open-source AhMyth Android RAT (remote access trojan)” and has been customized into a version called AhRat.

Along with its screen recording capabilities, the Android recording app possessed the ability to capture surrounding audio through the device’s microphone and transmit it to the attacker’s command and control (C&C) server. Furthermore, it can extract files with extensions related to saved web pages, images, audio, video, documents, and compressed file formats from the targeted device.

The Android app’s specific malicious actions strongly indicate its involvement in an espionage campaign. However, ESET was unable to identify a particular group associated with the program. Fortunately, iRecorder has now been pulled from Google Play, and researchers haven’t found traces of the AhRat malware anywhere else.

However, this is not the first instance of AhMyth-based Android malware on Google Apps. WeLiveSecurity previously published research on a trojanized app in 2019. At the time, the spyware escaped Google’s app-vetting process twice by disguising itself as a harmless radio streaming offering. The incident amplifies the need for caution, even when using programs from official app stores.


The presence of scam apps is not a new phenomenon in Android or Apple App Stores. Among these, recorder apps have earned a notorious reputation, often exhibiting predatory subscription pricing models and employing fake reviews to boost their visibility. Apps gradually turning malicious are very problematic as they leverage the permissions granted to access sensitive information on their devices.

While the iRecorder Android app is no longer a concern, the underlying question remains. What prevents another dormant agent from turning your device into a spy tool? Luckily, Google is taking steps to address this problem by developing updates that provide monthly notifications, informing users about any changes in data-sharing practices made by apps.

These efforts aim to enhance transparency and empower users to stay informed about their app’s behaviors. Meanwhile, to safeguard against spyware, regularly update your operating system and web browsers to ensure you have the latest protection against threats. Install reputable antivirus and anti-spyware software on your devices. Always run regular scans to detect and remove any potential danger.

Incorporating these practices into your digital routine can significantly reduce the risk of falling victim to Android app spyware and other malicious threats.