The malicious app, named Radio Balouch (or RB Music), includes functionality from AhMyth Android RAT.
RB Music is a streaming app for the Balouchi music that is traditional of the Balochistan region in
“ESET researchers have discovered the first known spyware that is built on the foundations of AhMyth open-source malware and has circumvented Google’s app-vetting process. The malicious app, called Radio Balouch aka RB Music, is actually a fully working streaming radio app for Balouchi music enthusiasts, except that it comes with a major sting in its tail – stealing personal data of its users.” wrote Stefanko. “The app snuck into the official Android app store twice, but was swiftly removed by Google both times after we alerted the company to it.”
The source code of the RAT
According to ESET experts, this is the first case of malicious apps built on AhMyth that spread through the official Google store bypassing Google’s app-vetting mechanism.
The app is able to steal contacts, harvest files stored on the device and send SMS messages from the affected device. It also implements a feature to steal SMS messages stored on the device, but this functionality
The experts discovered twice different versions of the malicious Radio Balouch app on Google Play, the application had 100 downloads.
The researchers first discovered the app on Google Play on July 2, 2019, then it was removed within 24 hours. The Radio Balouch app reappeared on Google Play on July 13
The malicious app was also distributed via third-party app stores, via a dedicated website,
Once the app is executed, it will ask users to choose their preferred language (English or Farsi), then it starts requesting permissions such as the access to files on the device and the access to the contacts.
“Then, the app requests the permission to access contacts. Here, to camouflage its request for this permission, it suggests this functionality is necessary should the user decide to share the app with friends
After the setup, the malicious app displays its home screen with music options, and allows users to register and login. This feature is fake, the user will be always authenticated for every input he will provide. Experts believe this feature has been implemented to lure credentials from the victims and try to break into other services that share the same credentials.
“The (repeated) appearance of the Radio Balouch malware on the Google Play store should serve as a wake-up call to both the Google security team and Android users. Unless Google improves its safeguarding capabilities, a new clone of Radio Balouch or any other derivative of AhMyth may appear on Google Play.” Stefanko concludes.
“While the key security imperative “Stick with official sources of apps” still holds, it alone can’t guarantee security. It is highly recommended that users scrutinize every app they intend to install on their devices and use a reputable mobile security solution.