You know Play Store security scans are really bad when spyware based on open source code manages to slip past Google's defenses, not once, but twice.
The Android app that did this is called Radio Balouch, also RB Music, an app for streaming Balouchi music, specific to a geographical region and population that spreads across Iran, Afghanistan, and Pakistan.
Cyber-security firm ESET said this app, besides containing a legitimate radio streaming component, also integrated AhMyth, an remote access tool that has been available on GitHub as an open source project for more than two years.
Should have been avoidable
In a technical report published today detailing Radio Balouch's features, ESET said this was the first known instance of a malicous app based on AhMyth reaching the Play Store, something which should have never happened due to AhMyth's age and availability as an open source project of which the Play Store security team should have known about.
"The malicious functionality in AhMyth is not hidden, protected, or obfuscated," said Lukáš Štefanko, malware researcher at ESET, who conducted the investigation into the malicious app. "For this reason, it is trivial to identify the Radio Balouch app - and other derivatives - as malicious and classify them as belonging to the AhMyth family."
"Nothing special was used to bypass either Google's IP or postpone the malicious function. I think it wasn't detected because users first had to set up the app - set the language, allow permissions, go through a couple of 'next' buttons, for an app overview and only then would the malicious code be launched," he told ZDNet.
Štefanko said ESET spotted two instances of the malware being uploaded on the Play Store, one on July 2, and the second on July 13. Both were removed within a day, but only after they contacted the Play Store staff.
While the two apps never managed to get more than 100 installs, the problem here was the fact that they ended up on the Play Store using nothing more than unobfuscated open-source code.
"The (repeated) appearance of the Radio Balouch malware on the Google Play store should serve as a wake-up call to both the Google security team and Android users," Štefanko said.
"Unless Google improves its safeguarding capabilities, a new clone of Radio Balouch or any other derivative of AhMyth may appear on Google Play," he added.
Google did not return a request for comment from ZDNet regarding the background of this major Play Store security slip-up.
Play Store still better than any alternative
In the meantime, the malicious Radio Balouch app remains available for download via third-party Android app stores.
While the Play Store team might have failed users this time, the advice that users should limit the app they install on their phones to the ones they get from the Play Store remains valid.
Google still puts considerable effort into scanning for malicious apps, compared to any other third-party store, both pre and post app installation.
They might have bungled AhMyth's detection, but the Play Store staff catches billions other threats every year.
Nevertheless, Štefanko also recommends that users install a mobile security app, just to be safe, in case Google misses anything, like in this case.
Since the two mallicious app targeted Iranian users, the targets of many cyber-espionage campaigns carried out in the past by Iranian state-sponsored groups, ZDNet also asked Štefanko if Radio Balouch was the work of such a group.
"That was also the first thing that came up to me, but I didn't find any connection to any Iranian or other APT," the ESET researcher told ZDNet.
Updated an hour after publication with additional comments from Štefanko.