Η Google removed this week from Play Store an Android app called NEXTA LIVE (com.moonfair.wlkm), which was used to collect staff data by anti-government protesters in Belarus. This app has been available for about three weeks on the Android Play Store. By the time it was removed, the app had been downloaded and installed by users thousands of times, and had also received hundreds of reviews.
To motivate users to download it, NEXTA LIVE was introduced as its official Android app Nexta, an independent news agency in Belarus, which has become quite popular with anti-Lukashenko protesters following police violence during recent anti-government protests in Belarus.
However, Nexta told Telegram last week that the app had nothing to do with its service and that it was designed to collect user data to determine the identity of the protesters. So Nexta warned users not to install it. Nexta also asked users to immediately uninstall the app from Appliances rate it poorly and report it to Google. This bulk reporting strategy proved effective and the app was removed this week. However, for many users the damage has already been done.
According to a Belarusian security researcher, whose identity will not be revealed for the protection of confidentiality of, the app was designed for mass data collection purposes. In particular, in a brief analysis shared with Nexta readers, he stated that the app was designed to collect location data, information about the owner of each device and subsequently upload the data to a remote server Periodically.
In addition, Gabriel Cîrlig, Android researcher malware, stated that the app appears to be communicating with a domain hosted on a Russian IP address on the website arcpi.nextialive.roimaster [.] (89.223.89 [.] 47). Both the domain and the IP address do not refer to threat information streams, as they do not appear to be associated with previous malware campaigns. However, the same IP address has hosted other suspicious domains in the past - for example, the website hackappnewcrmuzbekistan.roimaster [.]Which indicates that there is more to this server than it may seem.
However, a location data collection feature has no place in a news-focused app, let alone one that is popular with anti-government protesters, in a politically unstable country currently ruled by an authoritarian leader struggling to remain in power.
Although there is no apparent link between the fake Nexta app and the Minsk government, this will not be the first time a government has tried to spy on its citizens in the midst of anti-government protests in order to identify anti-government protesters. Similar incidents had taken place in Venezuela and Iran in 2019, but also on USA, earlier this year, during demonstrations of the "Black Lives Matter" movement.
In addition, citizens of Belarus are reasonably wary of the app and consider it possible that it is linked to the government, given that earlier this year Belarusian police raided the offices of Yandex and Uber, in what the protesters described as attempt to obtain route location data, to determine who took part in the anti-government protests.