Thursday, May 1, 2025
HomeAndroidOpen-Source Spyware Spreading Via Google Play Store App to Send SMS, Steal...

Open-Source Spyware Spreading Via Google Play Store App to Send SMS, Steal Contacts, Files & Credentials

Published on

SIEM as a Service

Follow Us on Google News

Researchers discovered an open-source spyware AhMyth associated with Google play store app called RB Music to intrude the Android users device to steal various sensitive information.

RB Music also know as Radio Balouch, a malicious streaming radio based Android app appeared in Google play store borrowed malicious features and functionality from AhMyth to infect the Android users in wide.

AhMyth
Radio Balouch Appeared in PlayStore (Souce: ESET)

AhMyth, an open-source espionage tool developed to infect with the Android devices with the help of Android apps that implant to the targeted devices and opens a backdoor to spy the victim activities and steal the data.

- Advertisement - Google News

A desktop application based on electron framework act as a command and control server operating by the attackers to send further commands and obtain the information.

There are several apps were used this AhMyth spyware since 2017, But Radio Balouch is a first app that officially appeared in Google play store.

AhMyth advertising selling in Chinese- and English-speaking underground forum that focuses more on Android devices.

Lukas Stefanko, ESET researcher said through a blog post, “besides Google Play, the malware, detected by ESET as Android/Spy.Agent.AOX has been available on alternative app stores. Additionally, it has been promoted on a dedicated website, via Instagram, and YouTube.”

Radio Balouch streaming radio app initially appeared on July 2nd, 2019 and eventually, the app has been removed from the App Store with the 24 hours. but still, maintain its existence in the 3rd party app store.

Spyware Infection Process

Attacker integrates the radio functionality with the functionality of AhMyth and, implemented with the Radio Balouch app which appears with full functionality including playing a stream of Balouchi music.

In the background, AhMyth’s malicious functionality has enabled and collecting the various devices information, steal the steal contacts, harvest files stored on the device and, send SMS messages.

There are several variants are discovered based on the AhMyth but those variants functionalities are different.

Once the app will be launched, users required to choose the desired languages, soon after the app will start requesting permissions.

Radio Balouch first request the permission for accessing the device files which is the default request for every music app and if its declined then the app will not be work. Next, the app will request permission to access the contact.

Acccording to ESET, After the setup, the app opens its home screen with music options, and offers the option to register and login. However, any “registering” is meaningless as any input will bring the user into the “logined” state, in the operators’ poor English. Probably, this step has been added to lure credentials from the victims and try to break into other services using the obtained passwords – a reminder to never reuse passwords across services. 

Later the app will establish the Command and Control server to transmit the stolen credentials, victims’ contacts lists and other details via unencrypted HTTP connection.

AhMyth
C2 server Communication (Source: ESET)

“The (repeated) appearance of the Radio Balouch malware on the Google Play store should serve as a wake-up call to both the Google security team and Android users. still, there is a lot more possibility for a new clone of Radio Balouch or any other derivative of AhMyth may appear on Google Play.” ESET said.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and Hacking News updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Netgear EX6200 Flaw Enables Remote Access and Data Theft

Security researchers have disclosed three critical vulnerabilities in the Netgear EX6200 Wi-Fi range extender...

Tesla Model 3 VCSEC Vulnerability Lets Hackers Run Arbitrary Code

A high security flaw in Tesla’s Model 3 vehicles, disclosed at the 2025 Pwn2Own...

Quantum Computing and Cybersecurity – What CISOs Need to Know Now

As quantum computing transitions from theoretical research to practical application, Chief Information Security Officers...

Apache ActiveMQ Vulnerability Lets Remote Hackers Execute Arbitrary Code

A high vulnerability in Apache ActiveMQ’s .NET Message Service (NMS) library has been uncovered,...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

New WordPress Malware Disguised as Anti-Malware Plugin Takes Full Control of Websites

The Wordfence Threat Intelligence team has identified a new strain of WordPress malware that...

Konni APT Deploys Multi-Stage Malware in Targeted Organizational Attacks

A sophisticated multi-stage malware campaign, potentially orchestrated by the North Korean Konni Advanced Persistent...

Outlaw Cybergang Launches Global Attacks on Linux Environments with New Malware

The Outlaw cybergang, also known as “Dota,” has intensified its global assault on Linux...