A malicious app that steals data was found to have been hosted on Google Play not once, but twice. The malicious app was discovered by ESET security researcher Lukas Stefanko, who notified Google. The researcher notes that this is the first spyware based on the AhMyth open-source malware to bypass Google’s app-vetting. While AhMyth open-source RAT (Remote Access Tool) has been available since 2017, this is the first time malware based on it actually managed to appear on Google Play.
The app in question is called Radio Balouch (or RB Music) and actually functions as a streaming radio app. When users install it, they are asked to grant the app permission to access files and contacts. The app then sends the acquired data to a Command & Control server (C&C).
The Radio Balouch app steals user data, including files
The spyware conceals itself as a radio tool, and it actually works. However, along with being able to listen to the radio, users also have their data stolen.
When the app is opened, users are asked to choose the language between English and Farsi, after which the app requests permissions. Among those permission requests is one that asks for access to file storage. The radio does not work if the request is denied. The app provides an explanation on why it needs to have access to your photos, media and files and claims that “you can save musics on your device and play offline”. In addition to access to files, the app also steals contacts and sends SMS messages. If file access is permitted, it then asks for access to contacts, so that you would be able to “share download link of the app via sms to your contacts”.
Once the app has all the permissions it needs, the user can start using the app. It requests that users also create an account, which is likely a method to obtain emails and passwords. If users reuse their passwords, the people behind the apps could gain access to other accounts. ESET notes that the credentials are transmitted over an HTTP connection unencrypted.
The most worrying thing about this malicious app is that it managed to sneak onto Google Play twice. The first time, ESET researchers informed Google about the app and it was removed soon after. However, it reappeared days later, and only after ESET notified Google again was it removed. Fortunately, it was not downloaded onto many devices. According to ESET, the number of downloads was just over 100.
The app can still be found on third-party app stores and is being promoted on Instagram and YouTube. ESET has notified the service providers but is yet to receive a response.
This is not the first time a malicious app has made it onto Google Play and it certainly won’t be the last. While users are encouraged to only download Android apps from Google Play, they should not do so blindly. It’s always a good idea to check the developer, reviews, permissions the app requests, etc. Essentially, you should find out everything you can about the app before you install it. Furthermore, users are recommended to install a mobile security tool that would detect these kinds of apps and get rid of them before they can do damage.