Google Android users are being warned to be vigilant after security researchers at ESET discovered a rogue spyware app has hit the official Play store, twice. It comes after researchers at Trend Micro warned last weekend that adware-ridden apps had been downloaded by 8 million Play Store users.
The spyware-containing app, called Radio Balouch or RB Music, is based on the open source espionage tool called AhMyth. Its malicious intentions are cleverly hidden. The app offers fully working streaming radio for Balouchi music enthusiasts–but it also steals your personal data.
It’s not the first time malicious apps based on AhMyth have appeared since it was made publicly available in late 2017. However, Radio Balouch is the first to make it onto the official Google Play store. And the researchers say its spying capabilities could easily be attached to another app.
Android spyware on the Play Store: What happened and what does the app do?
The spyware-ridden app was removed after it was initially discovered and reported to Google by the ESET researchers. However, it wasn’t long before the attackers put the app back up on Google Play, when it was once again found by ESET and removed by Google.
Lukas Stefanko, the malware researcher at ESET who conducted the investigation, said the fact that Google let the same developer post “this evident malware” to the store repeatedly is “disturbing.”
The malware, which ESET detected as Android/Spy.Agent.AOX, was available on alternative app stores in addition to Google Play. It has also been promoted on a dedicated website, via Instagram, and YouTube. ESET has reported this but is yet to receive a response.
The data-stealing capabilities of Radio Balouch are pretty disturbing. The malicious functionality enables the app to steal contacts, harvest files and send SMS messages from the affected device.
But luckily, the malicious app hadn’t netted too many installs by the time it was removed: ESET detected just over 100.
A wake-up call for Google’s Play store?
The install numbers aren’t huge, but the fact spyware was able to make it onto Google’s play store is concerning, because it means it could easily happen again. “The repeated appearance of the Radio Balouch malware on the Google Play store should serve as a wake-up call to both the Google security team and Android users,” Stefanko said. “Unless Google improves its safeguarding capabilities, a new clone of Radio Balouch or any other derivative of AhMyth may appear on Google Play.”
It’s a significant and well-known problem–and it appears that Google is finding it increasingly difficult to police its Play store. “Apple seems to be stricter when it comes to reviewing apps, as well as placing some security limitations on developers,” says independent security researcher Sean Wright. “Google is a lot more open, allowing developers to potentially introduce security flaws in their apps.”
“Google should really do a better job at vetting apps and blocking malicious ones from its play store,” says ethical hacker John Opdenakker. “They should improve their malware detection algorithms.”
He says it’s “unbelievable” that so many malicious apps make it to the Google Play store and concerning that this was allowed to happen multiple times.
Spyware on Google Play: What to do
In general, there are a few things you can do to avoid becoming a victim in the future. It’s important to keep your Android device up-to-date and use anti-virus to protect it. In addition, be cautious about the permissions an app requests, and make sure you read the reviews.
“Before downloading, people need to do their own due diligence on apps,” says Jake Moore, cybersecurity expert at ESET. “They need to start by researching the developer and reading reviews on the app and others they may have created.
“If you choose to download, you need to take a good look at the app permissions they are trying to request from your device too. The Play store may seem like a minefield, but Google tends to trust users to do their own research, plus they are very quick to act if an app is shown to be malicious.”
People should always pay attention to the permissions required by the app, agrees Wright: “If it is a flashlight app, it should not need to access your contacts.”
Issues with the Play store are really starting to grate on Android users. If Google doesn’t do something about it soon, it’s possible that some people may even choose to give up on the operating system altogether.