Another spyware program managed to bypass the filters of Google Play Store, the official store of applications for Android. The talk is about the AhMyth component implemented in a legitimate program, the source code of which has been available on GitHub for more than two years.
AhMyth is a remote access tool.
Experts from the antivirus company ESET discovered an unwanted program in the vastness of the Play Store.
According to experts, AhMyth exists as an additional load on the Radio Balouch application, which performs the functions of music streaming service.
“The malicious app, called Radio Balouch aka RB Music, is actually a fully working streaming radio app for Balouchi music enthusiasts, except that it comes with a major sting in its tail – stealing personal data of its users”, — report ESET specialists.
After installation, the Internet radio component becomes fully functional, playing the stream of Balouchi music. However, the added malicious functionality allows the application to steal contacts, collect files stored on the device, and send SMS messages from the vulnerable device.
Functionality to steal SMS messages stored on the device is also present. However, this function cannot be used, as recent Google restrictions allow this functionality only to the standard SMS application.
According to ESET employees, AhMyth was not supposed to get into the Play Store, since the source code of this RAT malware has been available for a long time, therefore, the Play Store security team should know about it.
“Malicious functions in AhMyth are not hidden, not obfuscated, and generally not protected. Thus, calculating its presence in another Android application is quite simple”, – explains Lukas Stefanko, a researcher of mobile malware.
According to Stefanko, he discovered AhMyth’s presence on the Play Store twice in one month – on July 2 and 13. In both cases, the unwanted program was removed from the official store a day after detection.
The expert stressed that they removed it after contacting the Play Store security team.
In addition to Google Play, malware containing the AhMyth code and identified by ESET as Android / Spy.Agent.AOX was available in alternative app stores. In addition, it was posted on a special website, on Instagram and on YouTube.
While the key security imperative “Stick with official sources of apps” still holds, it alone can’t guarantee security. It is highly recommended that users scrutinize every app they intend to install on their devices and use a reputable mobile security solution.
User Review( votes)