Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

App tainted with Ahmyst Open-source spyware appeared on Google Play Store twice

ESET experts discovered that an Android app infected with AhMyth open-source RAT has bypassed the security of Google Play twice over two weeks. The popular malware researcher Lukas Stefanko from ESET discovered that a malicious spyware, built on the AhMyth open-source espionage tool, was uploaded on Google Play twice over two weeks, bypassing Google security […]

ahmyth app

ESET experts discovered that an Android app infected with AhMyth open-source RAT has bypassed the security of Google Play twice over two weeks.

The popular malware researcher Lukas Stefanko from ESET discovered that a malicious spyware, built on the AhMyth open-source espionage tool, was uploaded on Google Play twice over two weeks, bypassing Google security checks.

The malicious app, named Radio Balouch (or RB Music), includes functionality from AhMyth Android RAT.

RB Music is a streaming app for the Balouchi music that is traditional of the Balochistan region in south-western Asia.

“ESET researchers have discovered the first known spyware that is built on the foundations of AhMyth open-source malware and has circumvented Google’s app-vetting process. The malicious app, called Radio Balouch aka RB Music, is actually a fully working streaming radio app for Balouchi music enthusiasts, except that it comes with a major sting in its tail – stealing personal data of its users.” wrote Stefanko. “The app snuck into the official Android app store twice, but was swiftly removed by Google both times after we alerted the company to it.”

The source code of the RAT is available on GitHub since October 2017.

According to ESET experts, this is the first case of malicious apps built on AhMyth that spread through the official Google store bypassing Google’s app-vetting mechanism.

The app is able to steal contacts, harvest files stored on the device and send SMS messages from the affected device. It also implements a feature to steal SMS messages stored on the device, but this functionality can’t be utilized since Google’s recent restrictions only allow the default SMS app to access those messages.

Stafanko pointed out that the AhMyth code inside the app was not obfuscated or protected, making it very easy to be detected, by Google failed it.

The experts discovered twice different versions of the malicious Radio Balouch app on Google Play, the application had 100 downloads.

The researchers first discovered the app on Google Play on July 2, 2019, then it was removed within 24 hours. The Radio Balouch app reappeared on Google Play on July 13th, 2019, ESET discovered it and alerted Google that quickly removed it.

The malicious app was also distributed via third-party app stores, via a dedicated website, radiobalouch[.]com, via a link promoted via a related Instagram account. The expert discovered that the server was also used for the spyware’s C&C communications. The domain was registered on March 30th, 2019, and after the ESET report, it was taken down by the threat actors.

Once the app is executed, it will ask users to choose their preferred language (English or Farsi), then it starts requesting permissions such as the access to files on the device and the access to the contacts.

“Then, the app requests the permission to access contacts. Here, to camouflage its request for this permission, it suggests this functionality is necessary should the user decide to share the app with friends in their contact list. If the user declines to grant the contact permissions, the app will work regardless.” continues the report.

After the setup, the malicious app displays its home screen with music options, and allows users to register and login. This feature is fake, the user will be always authenticated for every input he will provide. Experts believe this feature has been implemented to lure credentials from the victims and try to break into other services that share the same credentials.  

“The (repeated) appearance of the Radio Balouch malware on the Google Play store should serve as a wake-up call to both the Google security team and Android users. Unless Google improves its safeguarding capabilities, a new clone of Radio Balouch or any other derivative of AhMyth may appear on Google Play.” Stefanko concludes.

“While the key security imperative “Stick with official sources of apps” still holds, it alone can’t guarantee security. It is highly recommended that users scrutinize every app they intend to install on their devices and use a reputable mobile security solution.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – ahMyth, spyware)

[adrotate banner=”5″]

[adrotate banner=”13″]