Google removes Android app that was used to spy on Belarusian protesters

App mimicked a popular anti-government news site and collected location and device owner details.
Written by Catalin Cimpanu, Contributor

One of the images used to promote the malicious NEXTA LIVE app.

Google has removed this week an Android app from the Play Store that was used to collect personal information from Belarusians attending anti-government protests.

The app, named NEXTA LIVE (com.moonfair.wlkm), was available for almost three weeks on the official Android Play Store, and was downloaded thousands of times and received hundreds of reviews.

To get installs, NEXT LIVE claimed to be the official Android app for Nexta, an independent Belarusian news agency that gained popularity with anti-Lukashenko protesters after exposing abuses and police brutality during the country's recent anti-government demonstrations.

However, in a statement published on Telegram last week, Nexta said the app was not associated with its service and was designed to collect data from users and de-anonymize protest-goers.


"Do not install under any circumstances. Warn your friends, maximum repost!," Nexta staff wrote in their Telegram channel.

Nexta also asked users to immediately uninstall the app from their devices, give the app a bad rating and review, and then report it to Google staff.

App collected location data and device owner details

This mass-reporting strategy worked, and the app was removed earlier this week. However, for many users, the damage is already done.

According to a Belarusian security researcher — who we will call S. for his protection and privacy —, the app was designed for mass-harvesting purposes. In a summary analysis he shared with Nexta readers, S. said the app was designed to collect geolocation data, gather info on the device owner, and then upload the data to a remote server at regular intervals.

Android malware researcher Gabriel Cîrlig, who ZDNet asked earlier today to also look at NEXTA LIVE, said the app appears to communicate with a domain hosted on a Russian IP address, at arcpi.nextialive.roimaster[.]site (89.223.89[.]47).

Both the domain and IP address aren't listed on any threat intelligence feeds, having no affiliations to previous malware campaigns, according to a search performed by ZDNet today.

However, the same IP address previously hosted other suspicious-looking domains (i.e., hackappnewcrmuzbekistan.roimaster[.]site), which suggests there is more to this server than meets the eye.

Nonetheless, a location-gathering feature has no place in a news-centered app, especially one that's popular with anti-government protesters in a politically unstable country currently governed by an autocratic leader fighting to remain in power.

While there is no official link between the fake Nexta app and the Minsk government, this would hardly be the first time that a government would try to spy on its citizens in the midst of anti-government protests, in attempts to identify protest-goers.

Similar incidents happened in Venezuela and Iran in 2019, and even the US, earlier this year, during Black Lives Matter protests.

Further, Belarusians are right to be wary of the app and possible links to the local government after earlier this year Belarusian police raided the offices of ride-hailing companies Yandex and Uber, in what protesters described as an attempt to obtain ride location data in order to identify who participated in anti-government demonstrations.

10 best smartphones not made in China

Editorial standards