Contacts-slurping Android malware sneaked onto Google Play store – twice

Contacts-slurping Android malware sneaked onto Google Play store – twice

Could a simple automated scan have picked up open-source nasty? Hmm


Android spyware – open-source spyware, no less – has found its way onto the Google Play store, according to researchers from ESET.


The nefarious software masqueraded as a fully functional internet radio app targeted at the Balouch people of Pakistan, Afghanistan and Iran, the Slovakian threat intel outfit said.


As well as relaying genuine Balouchi music, the malicious radio app also incorporated the AhMyth open-source remote-access trojan. It can be found on Github, of all places.


"The malicious functionality in AhMyth is not hidden, protected, or obfuscated. For this reason, it is trivial to identify the Radio Balouch app – and other derivatives – as malicious and classify them as belonging to the AhMyth family," opined Lukáš Štefanko, the ESET researcher who took a close look at the app.


In a detailed statement about the malware, ESET explained: "For C&C communication, Radio Balouch relies on its (now defunct) radiobalouch[.]com domain. This is where it would send information it has gathered about its victims – notably information about the compromised devices, and the victims' contacts lists. As with the account credentials, the C&C traffic is transmitted unencrypted over an HTTP connection."


The number of downloads of Radio Balouch's app was noted by ESET to be in the hundreds.


What was most concerning, however, was ESET's observation that the app was on the Google Play store – which is supposedly vetted to stop malware-laden apps from entering, but managed to enter at least twice to their knowledge.


The app's legitimacy was astroturfed through the creation of YouTube and Instagram accounts, making it seem superficially legitimate.


Google Pl ..