{
	"id": "e006facc-cf4c-40d5-818f-bb936e779bd9",
	"created_at": "2026-04-06T00:18:44.15773Z",
	"updated_at": "2026-04-10T03:30:33.209134Z",
	"deleted_at": null,
	"sha1_hash": "5871c232a39bb288d312e2f4c14fbf1df7656589",
	"title": "First-of-its-kind spyware sneaks into Google Play",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3353340,
	"plain_text": "First-of-its-kind spyware sneaks into Google Play\r\nBy Lukas Stefanko\r\nArchived: 2026-04-05 20:14:02 UTC\r\nESET researchers have discovered the first known spyware that is built on the foundations of AhMyth open-source malware and has circumvented Google’s app-vetting process. The malicious app, called Radio Balouch aka\r\nRB Music, is actually a fully working streaming radio app for Balouchi music enthusiasts, except that it comes\r\nwith a major sting in its tail – stealing personal data of its users. The app snuck into the official Android app store\r\ntwice, but was swiftly removed by Google both times after we alerted the company to it.\r\nAhMyth, the open-source Remote Access Tool from which the Radio Balouch app borrowed its malicious\r\nfunctionality, was made publicly available in late 2017. Since then, we have witnessed various malicious apps\r\nbased on it; however, the Radio Balouch app is the very first of them to appear on the official Android app store.\r\nESET’s mobile security solution has been protecting users from AhMyth and its derivatives since January 2017 –\r\neven before AhMyth went public. As the malicious functionality in AhMyth is not hidden, protected or obfuscated,\r\nit is trivial to identify the Radio Balouch app – and other derivatives – as malicious, and classify them as\r\nbelonging to the AhMyth family.\r\nBesides Google Play, the malware, detected by ESET as Android/Spy.Agent.AOX, has been available on\r\nalternative app stores. Additionally, it has been promoted on a dedicated website, via Instagram, and YouTube. We\r\nhave reported the malicious nature of the campaign to the respective service providers, but received no response.\r\nRadio Balouch is a fully working streaming radio app for music specific to the Balouchi region (for the sake of\r\nconsistency, we follow the spelling used in the campaign; the most common transcriptions are “Balochi” or\r\n“Baluchi”). In the background, however, the app spies on its victims.\r\nOn Google Play, we discovered different versions of the malicious Radio Balouch app twice and in each case, the\r\napp had 100+ installs. We reported the first appearance of this app on the official Android store to the Google\r\nsecurity team on July 2nd, 2019, and it was removed within 24 hours.\r\nThe malicious Radio Balouch app reappeared on Google Play on July 13th, 2019. This one, too, was immediately\r\nreported by ESET and swiftly removed by Google.\r\nhttps://www.welivesecurity.com/2019/08/22/first-spyware-android-ahmyth-google-play/\r\nPage 1 of 6\n\nFigure 1. The malicious Radio Balouch app appeared twice on Google Play\r\nAfter being removed from Google Play, the malicious radio app is only available on third-party app stores at the\r\ntime of writing. It has also been distributed from a dedicated website, radiobalouch[.]com, via a link promoted via\r\na related Instagram account. This server was also used for the spyware’s C\u0026C communications (see below). The\r\ndomain was registered on March 30th, 2019, and shortly after our complaint, the website was down and still is at\r\nthe time of writing.\r\nThe attackers’ Instagram account still, at the time of writing, serves a link to the app that has been removed from\r\nGoogle Play. They have also set up a YouTube channel with one video introducing the app; apparently, they don’t\r\npromote it as the video has a mere 21 views at the time of writing.\r\nhttps://www.welivesecurity.com/2019/08/22/first-spyware-android-ahmyth-google-play/\r\nPage 2 of 6\n\nFigure 2. The Radio Balouch website (left), Instagram account (center) and promotional YouTube video (right)\r\nFunctionality\r\nThe malicious Radio Balouch app works on Android 4.2 and above. Its internet radio functionality is bundled with\r\nthe functionality of AhMyth into one malicious app.\r\nAfter installation, the internet radio component is fully functional, playing a stream of Balouchi music. However,\r\nthe added malicious functionality enables the app to steal contacts, harvest files stored on the device and send\r\nSMS messages from the affected device.\r\nFunctionality for stealing SMS messages stored on the device is also present. However, this functionality can’t be\r\nutilized since Google’s recent restrictions only allow the default SMS app to access those messages.\r\nAs AhMyth has more variants whose functionalities vary, the Radio Balouch app and any other malware based on\r\nthis open-source espionage tool might get further functions in the future via an update.\r\nAfter launch, users choose their preferred language (English or Farsi); in the next step, the app starts requesting\r\npermissions. First, it requests access to files on the device, which is a legitimate permission for a radio app to\r\nenable its functionality; if declined, the radio would not work.\r\nThen, the app requests the permission to access contacts. Here, to camouflage its request for this permission, it\r\nsuggests this functionality is necessary should the user decide to share the app with friends in their contact list. If\r\nthe user declines to grant the contact permissions, the app will work regardless.\r\nhttps://www.welivesecurity.com/2019/08/22/first-spyware-android-ahmyth-google-play/\r\nPage 3 of 6\n\nFigure 3. Radio Balouch app’s permissions requests\r\nAfter the setup, the app opens its home screen with music options, and offers the option to register and login.\r\nHowever, any “registering” is meaningless as any input will bring the user into the “logined” state, in the\r\noperators’ poor English. Probably, this step has been added to lure credentials from the victims and try to break\r\ninto other services using the obtained passwords – a reminder to never reuse passwords across services. On a side\r\nnote: the credentials are transmitted unencrypted, over an HTTP connection.\r\nhttps://www.welivesecurity.com/2019/08/22/first-spyware-android-ahmyth-google-play/\r\nPage 4 of 6\n\nFigure 4. Radio Balouch app’s Home (left) and Settings (right) screens\r\nFor C\u0026C communication, Radio Balouch relies on its (now defunct) radiobalouch[.]com domain. This is where it\r\nwould send information it has gathered about its victims – notably information about the compromised devices,\r\nand the victims’ contacts lists. As with the account credentials, the C\u0026C traffic is transmitted unencrypted over an\r\nHTTP connection.\r\nhttps://www.welivesecurity.com/2019/08/22/first-spyware-android-ahmyth-google-play/\r\nPage 5 of 6\n\nFigure 5. Radio Balouch’s communication with its C\u0026C server\r\nConclusion\r\nThe (repeated) appearance of the Radio Balouch malware on the Google Play store should serve as a wake-up call\r\nto both the Google security team and Android users. Unless Google improves its safeguarding capabilities, a new\r\nclone of Radio Balouch or any other derivative of AhMyth may appear on Google Play.\r\nWhile the key security imperative “Stick with official sources of apps” still holds, it alone can’t guarantee security.\r\nIt is highly recommended that users scrutinize every app they intend to install on their devices and use a reputable\r\nmobile security solution.\r\nIndicators of Compromise (IoCs)\r\nHash ESET detection name\r\nF2000B5E26E878318E2A3E5DB2CE834B2F191D56 Android/Spy.Agent.AOX\r\nAA5C1B67625EABF4BD839563BF235206FAE453EF Android/Spy.Agent.AOX\r\nSource: https://www.welivesecurity.com/2019/08/22/first-spyware-android-ahmyth-google-play/\r\nhttps://www.welivesecurity.com/2019/08/22/first-spyware-android-ahmyth-google-play/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.welivesecurity.com/2019/08/22/first-spyware-android-ahmyth-google-play/"
	],
	"report_names": [
		"first-spyware-android-ahmyth-google-play"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434724,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5871c232a39bb288d312e2f4c14fbf1df7656589.pdf",
		"text": "https://archive.orkl.eu/5871c232a39bb288d312e2f4c14fbf1df7656589.txt",
		"img": "https://archive.orkl.eu/5871c232a39bb288d312e2f4c14fbf1df7656589.jpg"
	}
}