A new type of Android-centric spyware has been found that is capable of avoiding Google’s app-vetting process.
Malicious actors have placed the spyware in an app, called Radio Balouch, aka RB Music, which does in fact deliver on its advertised promise of playing Balouchi-style music, a traditional music that encompasses classical, semi-classical, and folk music originating from the region of southwest Pakistan, southeast Iran, and southwest Afghanistan. However, in addition to delivering the music the app steals the users personal information, ESET reported.
The app is built on the AhMyth open-source malware and its ability to dodge Google’s security enabled it to sneak into Google Play twice, although there have been less than 200 downloads for both. AhMyth was made publicly available in December 2017, but the Radio Balouch app is the first to successfully use the malware to infiltrate Google.
"Besides Google Play, the malware, detected by ESET as Android/Spy.Agent.AOX, has been available on alternative app stores. Additionally, it has been promoted on a dedicated website, via Instagram, and YouTube. We have reported the malicious nature of the campaign to the respective service providers, but received no response," ESET wrote.
ESET reported the first appearance of this app on the official Android store to the Google security team on July 2, 2019, and it was removed within 24 hours. It then reappeared on July 13, was reported and again removed.
ESET also found AhMyth-based malware in some third-party stores.