Starting as something innocent and seemingly useful, like any other app that made it into the Google Play Store platform, the iRecorder Screen Recorder has gone dark almost after a year since getting listed.

According to the report, since the app was listed in September 2021 and subsequently received an update in August of the following year, the app started to record a minute-long audio every 15 minutes and then send them to the developer’s server via an encrypted link.

Documenting the entire event is Essential Security against Evolving Threats (ESET) researcher Lukas Stefanko who made a blog post about it.

See also: How to get rid of malware from your Android smartphone

According to the report, Stefanko stated that, since receiving an update on August 2022, the app was embedded with a malicious code that shares the same behavior as the “open-source AhMyth Android RAT (remote access trojan)”—the very same code that previously went past Google’s filters.

But therein lies the sticky problem, per Stefanko, who claimed those apps that did turn villainous do so after having them installed for a while, which puts them in a special position to extract sensitive information from the hapless users for the perpetrator to use for nefarious reasons.

While recorder apps, in general, are especially vulnerable to turning into the dark side and exploiting their unwitting victims, there are already other suspicious practices around them, largely as part of their marketing—fake reviews that boost their visibility as well as predatory subscription pricing.

At the time of the app’s removal from the Google Play Store after having been identified, the iRecorder Screen Recorder had already 50,000 downloads.

This article, Android app secretly recorded users and sent it to attackers, was originally published at NoypiGeeks | Philippines Technology News, Reviews and How to’s.