ESET analysis breaks down the first known spyware that is built on the AhMyth open-source espionage tool and has appeared on Google Play – twice
ESET scientists found the first known spyware based on AhMyth open source malware and circumvented Google app-vetting. The malicious app called Radio Balouch aka RB Music is effectively a fully-functioning streaming radio app for music enthusiastic Balouchis, with the exception that it comes with a big punch–the stealing of your users ‘ private information. The app snucks twice in the official Android app store, but was quickly taken off by Google once we warned it.
AhMyth, the Remote Access tool open-source, the malicious features of Radio Balouch app, was published in early 2017. We’ve been witnessing several malicious applications based on it since; however, the Radio Balouch app is the first to appear on the Android official app store.
Since January 2017, ESET’s portable safety solution has been protecting consumers from AhMyth and its derivatives–even before AhMyth was released. As AhMyth’s malicious functions are not obscured, shielded or obscured, it is insignificant to define the Radio Balouch application–and other products–as malicious and classify it as belonging to the AhMyth family.
Apart from Google Play, ESET-detected malware is also accessible on alternative application shops as Android / Spy. Agent. AOX. It was also promoted via Instagram and YouTube on a dedicated website. We have notified the corresponding service suppliers of the malicious nature of the campaign, but received no reply.
Radio Balouch is a completely functional streaming radio tool for Balouchi-specific music (for consistency we follow the reference spelling, “Balochi” or “Baluchi” are the most prevalent). However, in the background, the app spies on its victims.
We found on Google Play separate versions of Radio Balouch’s malicious app twice and the app had more than 100 installs in each situation. We notified the Google Security Team of the first appearance of this application in the official Android store on 2 July 2019 and it was withdrawn within 24 hours.
On Google Play on 13 July 2019, the malicious Radio Balouch app reappeared. This one, too, was confirmed instantly by ESET and deleted by Google quickly.
The malicious Radio Balouch app appeared twice on Google Play
After removing the malicious radio app from Google Play, it is only accessible in third-party app stores at the moment of writing. It was also spread through a link promoted via a associated Instagram account from a dedicated website, radiobalouch[.]com. This server was also used to communicate with the C&C spyware (see below). The domain was recorded on 30 March 2019 and the website was down and remains in writing soon after our complaint.
At the moment of writing, the Instagram account of the attackers still contains a connection to the app that was withdrawn from Google Play. They also have a YouTube channel with a video presenting the app, which apparently won’t be promoted because at the moment of writing the video had a mere 21 opinions.
The Radio Balouch website (left), Instagram account (center) and promotional YouTube video (right)
The Radio Balouch malicious app operates for Android 4.2 or higher. Its Internet radio functionality is combined with AhMyth’s functionality in a malicious application.
The internet radio element will be fully operational after installation, playing a Balouchi music stream. The added malicious feature allows the app to steal contacts, retrieve files on the device and send SMS messages from the device in question.
There is also the functionality to steal SMS messages stored on the phone. However, this feature can not be used because only the default SMS app can access such emails with the latest Google constraints.
Since AhMyth has more variations with different functionalities, the Radio Balouch app and any other malware based on this open-source spyware may receive a new update tool in the future.
Upon initiation, customers select the preferred language (English or Farsi); the app begins to request permissions in the next stage. First, it asks for access to device records, which is a lawful permission for a radio application to allow functionality; if the decline were to occur, the radio would not operate.
The app then requests contact approval. Here, in order to camouflage its application for this authorization, this feature is recommended if the user decides to share the app with colleagues in his contact list. The app works irrespective of whether the customer refuses to grant contact permissions.
Radio Balouch app’s permissions requests
Once installed, the app opens its home screen with music options and offers the option to login and register. However, any “registration” does not make sense, as any information will get the user into the “logged” state in the bad English of the carriers. This step has probably been added to entic the victims ‘ credentials and attempt to break into other facilities by using the passwords acquired–a reminder that passwords will never be used across facilities. On a side note: the credentials are transferred via an HTTP connection without encryption.
Radio Balouch app’s Home (left) and Settings (right) screens
Radio Balouch depends on its (now dead) radiobalouch[.]com domain for C&C interaction. It would send data about its victims–in particular data about compromised machines and contact lists for victims. The traffic of C&C is transferred unencrypted over an HTTP link as with account credentials.
Radio Balouch’s communication with its C&C server