An Android recording app called iRecorder Screen Recorder began as an innocent screen recording app but turned evil nearly a year after it was first released, as detailed by Ars Technica. The app first came out in September 2021, but after an update the following August, it began recording a minute of audio every 15 minutes and forwarding those recordings, through an encrypted link, to the developer’s server. The whole thing is documented in a blog post from Essential Security against Evolving Threats (ESET) researcher Lukas Stefanko.

In the post, Stefanko said the app was updated in August 2022 to include malicious code “based on the open-source AhMyth Android RAT (remote access trojan).” The app had 50,000 downloads by the time it was reported and removed from the Play store. Stefanko added that apps with AhMyth embedded in them had made it past Google’s filters before.

Scam apps aren’t new on either Apple’s or Google’s app stores. Recorder apps can be especially bad, sometimes having predatory subscription pricing and fake reviews to inflate their visibility on those platforms. And Stefanko’s blog post highlights a particularly sticky problem: apps turning to the dark side after you’ve had them for a while, using the permissions you granted them at the outset to gather sensitive information from your device and shuttle it off to the developer for nefarious activities.

This particular app is gone, but what’s to keep another sleeper agent from activating on your phone? Google is at least working on updates that will tell you via monthly notification which, and when, apps have changed their data-sharing practices — if it finds out, that is.