• The malicious app snuck into the official Google Play store twice and was promptly removed after notification.
  • The app steals user data such as contacts, SMS, and files from mobile phone storage and sends them to a remote C&C server.

Andriod users were warned of a critical spyware app that was available for download in the official Google Play store. The malicious app called Radio Balouch or RB Music was identified to steal personal user data from smartphones. However, the app posed to perform a legitimate radio streaming service for Balouchi music followers, except that it comes at the cost of first-of-its-kind malicious activities.

Who discovered the malicious app?

Lukas Stefanko, a security researcher from ESET Security, discovered the malicious app on the Google Play store. The malicious actors managed to sneak the app into the official Google Play store twice and was promptly removed by the Google security team after notification by Stefanko.

Stefanko and ESET researchers conducted an extensive investigation and published a detailed report. “The fact Google let the same developer post “this evident malware” to the store repeatedly is “disturbing,” said Stefanko in the report.

What does the app do?

Typically, the app posed to serve as an Internet Radio streaming service but came bundled along with AhMyth Remote Access Tool (RAT) functionality to spy on its users in the background.

  • The app could steal contents such as contacts, SMS, files stored and many more from the affected devices.
  • Once opened for the first time, users can choose a language (English or Farsi) following which the app starts requesting permissions. One such permission prompts access to file storage from the device, which if denied will make the Radio to stop working.
  • When users try to sign up for the Radio streaming service, the provided credentials are transmitted to a remote server without any encryption, using the HTTP protocol.
  • The app sends all the stolen information to the remote C&C server storage.

Similar with AhMyth

The malicious Radio Balouch app borrowed its functionalities from the notorious open-source RAT dubbed, AhMyth. The AhMyth RAT was first identified in January 2017 and later was made publicly available via GitHub in late 2017. ESET researchers were continuously monitoring AyMyths’ activities on the internet and did report many other malicious apps that were based out of this RAT.

How many users are affected?

“On Google Play, we discovered different versions of the malicious Radio Balouch app twice and in each case, the app had 100+ installs. We reported the first appearance of this app on the official Android store to the Google security team on July 2nd, 2019, and it was removed within 24 hours,” said Stefanko.

When the malicious app reappeared on the Google Play store again on July 13th, 2019, it was removed again after notification by ESET researchers.

However, Stefanko did point out that the malicious Radio app still exists in many third-party Android app stores. It is also distributed from a dedicated website named (radiobalouch[.]com). In addition to these efforts, the malware actor is also distributing the malicious app via Instagram and a dedicated YouTube channel. Apparently, their YouTube channel has not seen any promotion hence the total views on the video counted to a mere 21 views, said Stefanko.

An Alert for Android users and Google Play store

“The repeated appearance of the Radio Balouch malware on the Google Play store should serve as a wake-up call to both the Google security team and Android users,” Stefanko said. “Unless Google improves its safeguarding capabilities, a new clone of Radio Balouch or any other derivative of AhMyth may appear on Google Play.”

Cyware Publisher