Open-source spyware bypasses Google Play defenses

Google Play Store continues to attract sketchy Android apps despite its best efforts to screen incoming apps for malware.

In a new report published by security firm ESET, researchers have discovered the first known instance of an open-source spyware bypassing the internet giant’s app store vetting process — twice.

Radio Balouch — the app in question — is a legitimate radio application serving Balouchi music enthusiasts, except that it also included AhMyth, a remote access espionage tool that has been available on GitHub as an open-source project since late 2017.

Lukas Stefanko, ESET researcher who uncovered the campaign, said the app was uploaded twice on Google Play — once on July 2 and a second time on July 13 — only to be swiftly removed by Google within 24 hours upon being alerted by the security team. It continues to be available on third-party app stores.

TNW Conference 2024- 2for1 offer this week only!

Don't miss out on the world-class speakers. Secure your 2for1 tickets before 23 April.

While the service’s dedicated website “radiobalouch.com” is no longer accessible, the attackers also seem to have promoted the app on Instagram and YouTube. The app, in total, attracted over 100 installs.

Upon launch, the app was found to ask for permission to access the device’s files and contacts, and “send information it has gathered about its victims — notably information about the compromised devices, and the victims’ contacts lists” to a C&C server — the now-defunct radiobalouch.com domain.

#ESETresearch discovered the first known #spyware built on the foundations of AhMyth open-source malware that made it onto @GooglePlay. The #RadioBalouch app is a fully working streaming radio app, except – it steals personal data of users. @LukasStefanko https://t.co/MRKufoV2Xp pic.twitter.com/3iPRD8wJd3

— ESET research (@ESETresearch) August 22, 2019

Worse, the information was transmitted unencrypted over an HTTP connection. That a successful spyware incorporated an open-source malware is alarming enough, but the fact that the same app got by Google’s defenses twice is a real cause for concern.

Not only does it raise questions about Google’s supposed vetting process, it leaves unsuspecting users at risk of getting their data hijacked by malicious actors.

Still, the same rule of caution applies. It’s always best to keep your phone’s software up to date, refrain from downloading apps from unknown sources, and be cautious of the permissions requested by apps.

“While the key security imperative ‘Stick with official sources of apps’ still holds, it alone can’t guarantee security,” Stefanko said. “It is highly recommended that users scrutinize every app they intend to install on their devices.”