First‑of‑its‑kind spyware sneaks into Google Play

First‑of‑its‑kind spyware sneaks into Google Play

ESET analysis breaks down the first known spyware that is built on the AhMyth open-source espionage tool and has appeared on Google Play – twice



ESET researchers have discovered the first known spyware that is built on the foundations of AhMyth open-source malware and has circumvented Google’s app-vetting process. The malicious app, called Radio Balouch aka RB Music, is actually a fully working streaming radio app for Balouchi music enthusiasts, except that it comes with a major sting in its tail – stealing personal data of its users. The app snuck into the official Android app store twice, but was swiftly removed by Google both times after we alerted the company to it.


AhMyth, the open-source Remote Access Tool from which the Radio Balouch app borrowed its malicious functionality, was made publicly available in late 2017. Since then, we have witnessed various malicious apps based on it; however, the Radio Balouch app is the very first of them to appear on the official Android app store.


ESET’s mobile security solution has been protecting users from AhMyth and its derivatives since January 2017 – even before AhMyth went public. As the malicious functionality in AhMyth is not hidden, protected or obfuscated, it is trivial to identify the Radio Balouch app – and other derivatives – as malicious, and classify them as belonging to the AhMyth family.


Besides Google Play, the malware, detected by ESET as Android/Spy.Agent.AOX, has been available on alternative app stores. Additionally, it has been promoted on a dedicated website, via Instagram, and YouTube. We have reported the malicious nature of the campaign to the respective service providers, but received no response.


Radio Balouch is a fully working streaming radio app for music specific ..