Open Source Android Spyware AhMyth Enters Google Play Store

Another spyware program managed to bypass the filters of Google Play Store, the official store of applications for Android. The talk is about the AhMyth component implemented in a legitimate program, the source code of which has been available on GitHub for more than two years.

AhMyth is a remote access tool.

Experts from the antivirus company ESET discovered an unwanted program in the vastness of the Play Store.

According to experts, AhMyth exists as an additional load on the Radio Balouch application, which performs the functions of music streaming service.

“The malicious app, called Radio Balouch aka RB Music, is actually a fully working streaming radio app for Balouchi music enthusiasts, except that it comes with a major sting in its tail – stealing personal data of its users”, — report ESET specialists.

After installation, the Internet radio component becomes fully functional, playing the stream of Balouchi music. However, the added malicious functionality allows the application to steal contacts, collect files stored on the device, and send SMS messages from the vulnerable device.

Functionality to steal SMS messages stored on the device is also present. However, this function cannot be used, as recent Google restrictions allow this functionality only to the standard SMS application.

Read also: Google: only 26% of users agreed to change their password when they learned that it was compromised

According to ESET employees, AhMyth was not supposed to get into the Play Store, since the source code of this RAT malware has been available for a long time, therefore, the Play Store security team should know about it.

Lukas Stefanko
Lukas Stefanko

“Malicious functions in AhMyth are not hidden, not obfuscated, and generally not protected. Thus, calculating its presence in another Android application is quite simple”, – explains Lukas Stefanko, a researcher of mobile malware.

According to Stefanko, he discovered AhMyth’s presence on the Play Store twice in one month – on July 2 and 13. In both cases, the unwanted program was removed from the official store a day after detection.

The expert stressed that they removed it after contacting the Play Store security team.

In addition to Google Play, malware containing the AhMyth code and identified by ESET as Android / Spy.Agent.AOX was available in alternative app stores. In addition, it was posted on a special website, on Instagram and on YouTube.

Recommendations from ESET:

While the key security imperative “Stick with official sources of apps” still holds, it alone can’t guarantee security. It is highly recommended that users scrutinize every app they intend to install on their devices and use a reputable mobile security solution.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button