Pierluigi Paganini August 22, 2019

ESET experts discovered that an Android app infected with AhMyth open-source RAT has bypassed the security of Google Play twice over two weeks.

The popular malware researcher Lukas Stefanko from ESET discovered that a malicious spyware, built on the AhMyth open-source espionage tool, was uploaded on Google Play twice over two weeks, bypassing Google security checks.

The malicious app, named Radio Balouch (or RB Music), includes functionality from AhMyth Android RAT.

RB Music is a streaming app for the Balouchi music that is traditional of the Balochistan region in south-western Asia.

“ESET researchers have discovered the first known spyware that is built on the foundations of AhMyth open-source malware and has circumvented Google’s app-vetting process. The malicious app, called Radio Balouch aka RB Music, is actually a fully working streaming radio app for Balouchi music enthusiasts, except that it comes with a major sting in its tail – stealing personal data of its users.” wrote Stefanko. “The app snuck into the official Android app store twice, but was swiftly removed by Google both times after we alerted the company to it.”

The source code of the RAT is available on GitHub since October 2017.

According to ESET experts, this is the first case of malicious apps built on AhMyth that spread through the official Google store bypassing Google’s app-vetting mechanism.

The app is able to steal contacts, harvest files stored on the device and send SMS messages from the affected device. It also implements a feature to steal SMS messages stored on the device, but this functionality can’t be utilized since Google’s recent restrictions only allow the default SMS app to access those messages.

Stafanko pointed out that the AhMyth code inside the app was not obfuscated or protected, making it very easy to be detected, by Google failed it.

The experts discovered twice different versions of the malicious Radio Balouch app on Google Play, the application had 100 downloads.

The researchers first discovered the app on Google Play on July 2, 2019, then it was removed within 24 hours. The Radio Balouch app reappeared on Google Play on July 13^th, 2019, ESET discovered it and alerted Google that quickly removed it.

The malicious app was also distributed via third-party app stores, via a dedicated website, radiobalouch[.]com, via a link promoted via a related Instagram account. The expert discovered that the server was also used for the spyware’s C&C communications. The domain was registered on March 30^th, 2019, and after the ESET report, it was taken down by the threat actors.

Once the app is executed, it will ask users to choose their preferred language (English or Farsi), then it starts requesting permissions such as the access to files on the device and the access to the contacts.

“Then, the app requests the permission to access contacts. Here, to camouflage its request for this permission, it suggests this functionality is necessary should the user decide to share the app with friends in their contact list. If the user declines to grant the contact permissions, the app will work regardless.” continues the report.

After the setup, the malicious app displays its home screen with music options, and allows users to register and login. This feature is fake, the user will be always authenticated for every input he will provide. Experts believe this feature has been implemented to lure credentials from the victims and try to break into other services that share the same credentials.  

“The (repeated) appearance of the Radio Balouch malware on the Google Play store should serve as a wake-up call to both the Google security team and Android users. Unless Google improves its safeguarding capabilities, a new clone of Radio Balouch or any other derivative of AhMyth may appear on Google Play.” Stefanko concludes.

“While the key security imperative “Stick with official sources of apps” still holds, it alone can’t guarantee security. It is highly recommended that users scrutinize every app they intend to install on their devices and use a reputable mobile security solution.“

Pierluigi Paganini

(SecurityAffairs – ahMyth, spyware)

[adrotate banner=”5″]

[adrotate banner=”13″]