[ad_1]
An Android application with spyware features, based on a remote access and open source tool (RAT), has twice impeded the security of Google Play in two weeks.
Radio Balouch (or RB Music) included a feature of AhMyth Android RAT, an open source project software that was made public in late 2017. Since its launch, several malicious mobile apps have borrowed its code to spy on users d & # 39; Android.
There is a first for everything
So far, there has been no reported application built on AhMyth that can be distributed worldwide via Google Play. This makes Radio Balouch the first in the group to bypass Google's app verification mechanism to make it the official Android app store.
RB Music is fully functional for streaming Balouchi music, a traditional Balochistan region in Southwest Asia, but also for contact theft, file collection and SMS sending.
The SMS feature does not work, however, because of recent Google Play controls that require an application to be "actively registered as an SMS handler or default wizard on the device."
Lukas Stefanko, malware researcher for Android at ESET, says that AhMyth-based spyware is available at alternative app stores and has been promoted to Instagram and YouTube. Despite reporting campaigns to service providers, no response was received.
The malicious application Radio Balouch was reported for the first time on Google Play on July 2 and removed a day later. A return was observed on July 13 and Google acted quickly to start it. In both cases, the number of downloads was greater than 100.
ESET's research does not mention any particular measures used to circumvent Google's security check, which is all the more surprising since AhMyth has been around for so long and has no obscured code.
Although 100 downloads do not represent a lot of distribution, it is worth mentioning that the spy application has been launched from the official Android store after the report of ESET.
Better screening needed
Ready-to-spy variants of RB Music are still present in third-party app stores, Stefanko explains, and the developer has created Instagram and YouTube accounts that may start promoting them.
"At the time of this writing, the attackers' Instagram account still contains a link to the app that was removed from Google Play." They also created a YouTube channel with a video showing it, apparently they are not promoting as the video has only 21 views at the time of writing. "
ESET's research shows that Radio Balouch offers the possibility of registering an account. This, however, is just a decoy for the user to enter his login credentials because any entry will indicate that the operation was successful.
Stefanko think this feature is intended for collecting connections in order to try them on other service accounts during credentials filling attacks.
The researcher warned that, unless Google improves the filtering of malicious applications, clones of this application or AhMyth derivatives are likely to appear in the Play Store.
"Even if the key security imperative" Stay with the official sources of applications "is still valid, it alone can not guarantee security.It is highly recommended that users examine each application that they intend to install on their devices and use a reputable mobile security solution. " – Lukas Stefanko
[ad_2]
Source link