Skip to content
SonicWALL - ANDROID STREAMING MUSIC PLAYER BORROWS SPYWARE COMPONENTS FROM AHMYTH RAT
August 30, 2019

SonicWALL - ANDROID STREAMING MUSIC PLAYER BORROWS SPYWARE COMPONENTS FROM AHMYTH RAT

Reusing software code is a practice that brings efficiency in the software development cycle and is followed by many developers,  including malware developers. It is not uncommon to see malware writers reuse parts of code from other malware families or malware that were active in the past. SonicWall Capture Labs Threats Research Team observed reports of few cases where an Android malware was seen carrying code present in a relatively older Remote Access Trojan (RAT) called Ahmyth RAT. More information regarding this RAT can be found on our March 6, 2018 blog post.

A streaming Android music player app that goes by the name RB music was found to contain spyware related components of the Ahmyth RAT that allows it to steal sensitive information from the infected device.

INFECTION CYCLE

The app appears in the app drawer with the icon as shown below:

Upon starting the app, we found a number of features like online music streaming were not functioning, mainly because the server this app communicates with – h[xx]p://radiobalouch.com – is down:

However the original intention was to give the victims a fully working streaming music player, so that the victim does not suspect the app and steal sensitive victim information in the background.

TRAFFICKING SENSITIVE USER INFORMATION

Upon execution, the app starts communicating with the server, one of the first things it does is it registers the infected device with the server. The id used to register is the IMEI of the device:

Shortly, contacts from the infected device are transmitted to the server:

It should be noted that the above mentioned data exchange happens over HTTP raising more security issues. For instance, if the victim is connected to an unsecured wifi connection anyone can snoop over the traffic and extract sensitive information that is being transmitted by this malware.

Additionally, we observed the following functionality in the malware’s code but did not see it execute during our analysis:

  • Access SMS messages on the infected device
  • Send app download links to a number via SMS – this would allow the attacker to propagate this threat further

CONNECTION WITH THE AHMYTH RAT

This malware contains parts of code that are identical to that present in Ahmyth RAT:

Overall, this threat showcases how malware writers reuse code from other malware samples and package legitimate applications with malicious code. A lot of times malicious applications do not contain usable code and once executed these apps simply do not do anything. But, sometimes malware writers package legitimate or working apps with malicious components. In such cases if the victim is not vigilant he may never suspect that his device is already infected with malware.

Sonicwall Capture Labs provides protection against this threat with the following signature:

  • AndroidOS.Ahmyth.RB

Indicators of Compromise (IOC’s):

  • e268743d7f6cb6901a9a7ed4306a8bb3
  • ef9346f9cd1d535622126ebaa1008769
Previous article SonicWall’s Tiffany Haselhorst Joins 2020 CRN 100 Rising Female Stars List

More SonicWall News Posts

  • Product Security Notice: SONICWALL SSL-VPN SMA100 Series Vulnerabilities
    December 7, 2023 Esther McNally

    Product Security Notice: SONICWALL SSL-VPN SMA100 Series Vulnerabilities

    SONICWALL SSL-VPN SMA100 version 10.X is affected by multiple vulnerabilities Overview CVE-2023-44221: Post Authentication OS Command Injection Vulnerability (CVSS Score: 7.2) Improper neutralization of special elements in the SMA100 SSL-VPN management interface allows a remote authenticated attacker with administrative privilege...

    Read now
  • Turn On Your MFA
    November 9, 2023 Esther McNally

    Turn On Your MFA

    With millions of stolen credentials currently up for sale, the time for stronger authentication is now. In “Star Trek: The Next Generation,” Jean-Luc Picard famously said, “It is possible to commit no mistakes and still lose.” This applies to many...

    Read now
  • Password Pro Tips
    November 7, 2023 Esther McNally

    Password Pro Tips

    A solid password is instrumental to keeping your important accounts and information safeguarded. October is typically associated with pumpkin spice lattes, college football, crunching leaves underfoot and ghostly fun, but did you know it’s also Cybersecurity Awareness Month? This is...

    Read now
See more

Featured collection

  • SonicWall TZ270 By SonicWall - Buy Now - AU $957.60 At The Tech Geeks Australia
    SonicWall TZ270 By SonicWall - Buy Now - AU $957.60 At The Tech Geeks Australia
    Sale Sale

    SonicWall TZ270

    $957.60 - $2,986.20
    $957.60 - $2,986.20
    $2,138.97
    $957.60 - $2,986.20
    $957.60 - $2,986.20
    $957.60

    Designed for home offices and lean branches, the TZ270 series deliver industry-validated security effectiveness with best-in-class price-performanc...

    View full details
    $957.60 - $2,986.20
    $957.60 - $2,986.20
    $2,138.97
    $957.60 - $2,986.20
    $957.60 - $2,986.20
    $957.60
    Sale Sale
  • SonicWall TZ570 By SonicWall - Buy Now - AU $2885.40 At The Tech Geeks Australia
    SonicWall TZ570 By SonicWall - Buy Now - AU $2885.40 At The Tech Geeks Australia
    Sale Sale

    SonicWall TZ570

    $2,885.40 - $8,644.86
    $2,885.40 - $8,644.86
    $6,733.44
    $2,885.40 - $8,051.75
    $2,885.40 - $8,051.75
    $2,885.40

    The SonicWall TZ570 series, is the first desktop-form factor next-generation firewall (NGFW) with 5 Gigabit Ethernet interfaces.   Designed for mid...

    View full details
    $2,885.40 - $8,644.86
    $2,885.40 - $8,644.86
    $6,733.44
    $2,885.40 - $8,051.75
    $2,885.40 - $8,051.75
    $2,885.40
    Sale Sale
  • SonicWall TZ470 By SonicWall - Buy Now - AU $2031.12 At The Tech Geeks Australia
    SonicWall TZ470 By SonicWall - Buy Now - AU $2031.12 At The Tech Geeks Australia
    Sale Sale

    SonicWall TZ470

    $2,031.12 - $6,116.04
    $2,031.12 - $6,116.04
    $4,838.40
    $2,031.12 - $4,921.52
    $2,031.12 - $4,921.52
    $2,031.12

    Designed for small organizations and distributed enterprise with SD-Branch locations, the TZ470 series deliver industry-validated security effectiv...

    View full details
    $2,031.12 - $6,116.04
    $2,031.12 - $6,116.04
    $4,838.40
    $2,031.12 - $4,921.52
    $2,031.12 - $4,921.52
    $2,031.12
    Sale Sale
  • SonicWall TZ370 By SonicWall - Buy Now - AU $1362.06 At The Tech Geeks Australia
    SonicWall TZ370 By SonicWall - Buy Now - AU $1362.06 At The Tech Geeks Australia
    Sale Sale

    SonicWall TZ370

    $1,362.06 - $4,152.96
    $1,362.06 - $4,152.96
    $3,197.88
    $1,362.06 - $3,635.10
    $1,362.06 - $3,635.10
    $1,362.06

    Designed for small organizations and lean branches, the TZ370 series deliver industry-validated security effectiveness with best-in-class price-per...

    View full details
    $1,362.06 - $4,152.96
    $1,362.06 - $4,152.96
    $3,197.88
    $1,362.06 - $3,635.10
    $1,362.06 - $3,635.10
    $1,362.06
    Sale Sale
  • SonicWall TZ670 By SonicWall - Buy Now - AU $3544.38 At The Tech Geeks Australia
    SonicWall TZ670 By SonicWall - Buy Now - AU $3544.38 At The Tech Geeks Australia
    Sale Sale

    SonicWall TZ670

    $3,544.38 - $9,666.72
    $3,544.38 - $9,666.72
    $8,255.52
    $3,544.38 - $9,020.45
    $3,544.38 - $9,020.45
    $3,544.38

    The SonicWall TZ670 series, is the first desktop-form factor next-generation firewall (NGFW) with 10 Gigabit Ethernet interfaces.   Designed for mi...

    View full details
    $3,544.38 - $9,666.72
    $3,544.38 - $9,666.72
    $8,255.52
    $3,544.38 - $9,020.45
    $3,544.38 - $9,020.45
    $3,544.38
    Sale Sale
Shop collection