Researchers have discovered the first known spyware based on the AhMyth open-source malware. The malicious app, called Radio Balouch aka RB Music even made to Google Play before being removed from the official Android app twice. Without the knowledge of Balouchi or Balochi music enthusiasts, the radio-streaming app was stealing personal data of its users. AhMyth, the open-source Remote Access has been available since 2017.
“Since then, we have witnessed various malicious apps based on it; however, the Radio Balouch app is the very first of them to appear on the official Android app store,” team ESET explained in a blog. ESET said its mobile security solution “has been protecting users from AhMyth and its derivatives since January 2017 – even before AhMyth went public.”
“ As the malicious functionality in AhMyth is not hidden, protected or obfuscated, it is trivial to identify the Radio Balouch app – and other derivatives – as malicious, and classify them as belonging to the AhMyth family,” according to the blog.
The AhMyth malware, detected by ESET as Android/Spy.Agent.AOX has been available on app stores other than Google Play. It also has a dedicated website and has been promoted on Instagram and YouTube. Team ELS said it had reported the “malicious nature of the campaign to the respective service providers, but received no response.” The team said it discovered different versions of the malicious Radio Balouch app twice. “We reported the first appearance of this app on the official Android store to the Google security team on July 2nd, 2019, and it was removed within 24 hours. The malicious Radio Balouch app reappeared on Google Play on July 13th, 2019. This one, too, was immediately reported by ESET and swiftly removed by Google.”