Google Play Store continues to attract sketchy Android apps despite its best efforts to vet incoming apps for malware.
In a new report published by security firm ESET, researchers have discovered the first known instance of an open-source spyware bypassing the internet giant’s app store vetting process — twice.
Radio Balouch — the app in question — is a legitimate radio app serving Balouchi music enthusiasts, except that it also included AhMyth, a remote access espionage tool that has been available on GitHub as an open-source project since late 2017.
Lukas Stefanko, ESET researcher who uncovered the campaign, said the app was uploaded twice on Google Play — once on July 2 and a second time on July 13 — and that Google swiftly removed them within 24 hours upon being alerted by the security team. It continues to be available on third-party app stores.
While the service’s dedicated website “radiobalouch.com” is no longer accessible, the attackers also seem to have promoted the app on Instagram and YouTube. The app, in total, attracted over 100 installs.
Upon launch, the app was found to ask for permission to access the device’s files and contacts, and “send information it has gathered about its victims — notably information about the compromised devices, and the victims’ contacts lists” to a C&C server — the now-defunct radiobalouch.com — domain.
#ESETresearch discovered the first known #spyware built on the foundations of AhMyth open-source malware that made it onto @GooglePlay. The #RadioBalouch app is a fully working streaming radio app, except – it steals personal data of users. @LukasStefanko https://t.co/MRKufoV2Xp pic.twitter.com/3iPRD8wJd3
— ESET research (@ESETresearch) August 22, 2019
Worse, the information was transmitted unencrypted over an HTTP connection. That a successful spyware incorporated an open-source malware is alarming enough, but the fact that the same app got by Google’s defenses twice is a real cause for concern.
Not only does it raises questions about Google’s supposed vetting process, it leaves unsuspecting users at risk of getting their data hijacked by malicious actors.
Still, the same rule of caution applies. It’s always best to keep your phone’s software up to date, refrain from downloading apps from unknown sources, and be cautious of the permissions requested by apps.
“While the key security imperative ‘Stick with official sources of apps’ still holds, it alone can’t guarantee security,” Stefanko said. “It is highly recommended that users scrutinize every app they intend to install on their devices.”
10 minutes mail – Also known by names like : 10minemail, 10minutemail, 10mins email, mail 10 minutes, 10 minute e-mail, 10min mail, 10minute email or 10 minute temporary email. 10 minute email address is a disposable temporary email that self-destructed after a 10 minutes. https://tempemail.co/– is most advanced throwaway email service that helps you avoid spam and stay safe. Try tempemail and you can view content, post comments or download something anonymously on Internet.