Legitimate Mobile Application, “iRecorder” Turns Malicious After a Year in Operation


Information security researchers at ESET, a cybersecurity service provider have discovered that a previously legitimate screen recording mobile application “iRecorder”, has become malicious over the last year and now presents a serious threat to users’ privacy. With over 50,000 installs, the app was first uploaded to the Google Play Store on September 19, 2021. Google has since taken down the application from its Play Store following the alert from ESET.


  • Malicious code was embedded into the application following an update in August 2022 (version 1.3.8). This allowed cybercriminals to make secret audio recordings and transfer images, videos, saved web pages, and other files from an infected device to a command and control (C&C) server every 15 minutes.
  • The customised malicious code is based on the open-source AhMyth Android RAT (remote access trojan).
  • Anyone who downloaded the app before August 2022 might still have been exposed if they updated it manually or automatically.
  • The trojanised screen recording app remains a threat to users that had already installed it on their devices.
  • While Google has removed the software from its Play Store, this app will likely still appear on third-party app stores.
  • Android 11 and higher versions have inbuilt preventive measures against such malicious apps in the form of app hibernation. This feature effectively places apps that have been dormant for several months into a hibernation state, thereby resetting their runtime permissions and preventing malicious apps from functioning as intended.


  • Users with the iRecorder application installed on their devices are advised to UNINSTALL IT IMMEDIATELY and clear all related files.
  • Users are encouraged to routinely review applications’ permissions on their devices.
  • Uninstall unused applications to reduce the risk of exposure to compromised apps and to free resources (memory, storage) on devices.
  • Regularly update device operating system software to benefit from new security patches and features.

Contact the Cyber Security Authority

The CSA has a 24-hour Cybersecurity/Cybercrime Incident Reporting Points of Contact (PoC) for reporting cybercrimes and for seeking clarification and guidance on online links and transactions;Call or Text – 292, WhatsApp – 0501603111, Email – report@csa.gov.gh

Issued by Cyber Security Authority
June 30, 2023