Contacts-slurping Android malware sneaked onto Google Play store – twice
Could a simple automated scan have picked up open-source nasty? Hmm
Android spyware – open-source spyware, no less – has found its way onto the Google Play store, according to researchers from ESET.
The nefarious software masqueraded as a fully functional internet radio app targeted at the Balouch people of Pakistan, Afghanistan and Iran, the Slovakian threat intel outfit said.
As well as relaying genuine Balouchi music, the malicious radio app also incorporated the AhMyth open-source remote-access trojan. It can be found on Github, of all places.
"The malicious functionality in AhMyth is not hidden, protected, or obfuscated. For this reason, it is trivial to identify the Radio Balouch app – and other derivatives – as malicious and classify them as belonging to the AhMyth family," opined Lukáš Štefanko, the ESET researcher who took a close look at the app.
In a detailed statement about the malware, ESET explained: "For C&C communication, Radio Balouch relies on its (now defunct) radiobalouch[.]com domain. This is where it would send information it has gathered about its victims – notably information about the compromised devices, and the victims' contacts lists. As with the account credentials, the C&C traffic is transmitted unencrypted over an HTTP connection."
The number of downloads of Radio Balouch's app was noted by ESET to be in the hundreds.
What was most concerning, however, was ESET's observation that the app was on the Google Play store – which is supposedly vetted to stop malware-laden apps from entering, but managed to enter at least twice to their knowledge.
The app's legitimacy was astroturfed through the creation of YouTube and Instagram accounts, making it seem superficially legitimate.
Google Play's review processes, whatever they are, are not known for their thoroughness. Just a few weeks ago 130,000 people were known to have downloaded stalkerware, intended for silently monitoring spouses without their knowledge, while in January security biz Trend Micro reckoned nine million had been infected with malware from... the Google Play store!
The best thing you can do to defend against dodgy apps is to check them out before downloading and scan new downloads with a reputable and up-to-date anti-malware suite, as well as keeping a close eye on what permissions new and existing apps alike are demanding.
Good luck out there, fandroids. ®