Fake NEXTA LIVE app collected information about protesters in Belarus
Google has removed from the Google Play Store an app called NEXTA LIVE, which was used to collect personal data from Belarusians taking part in anti-government protests.
The NEXTA LIVE app (com.moonfair [.] Wlkm) has been in the internet directory for nearly three weeks. The annotation to the app indicated that NEXTA LIVE is the official Android app of the NEXTA news agency, which has gained popularity in connection with the protests in Belarus. However, in a message on Telegram, channel representatives stated that the application has nothing to do with the service and was developed to collect user data and de-anonymize protesters. In this regard, users are strongly encouraged to remove the program from their devices.
According to an information security researcher from Belarus, who wished to remain anonymous, the application collects geolocation data, as well as information about the owner of the device and sends the collected information to a remote server.
According to information security expert Gabriel Cîrlig, who also analyzed the application, the program binds to the domain with the Russian IP address arcpi.nextialive.roimaster [.] Site (89.223.89 [.] 47). Neither the domain nor the IP address appears on the threat lists and, apparently, have nothing to do with malicious campaigns. However, writes ZDNet, the same IP address was used to host other suspicious domains.