Save Me Android App saves your data to a Command and Control server
Security researchers at Lookout have discovered new data-stealing malware which disguises itself as a legitimate-looking back-up application on Google Play. Called Save Me, the App claims to be able to save a user’s contacts and states that it will be adding backup of files, photos and videos feature at a later stage. The App claims that these information can be accessed in case the smartphone or tablet is lost/stolen.
Lookout blog states that it is malapp and in reality contains a variant of information-stealing malware ‘SocialPath.’
Explaining the characteristics of Save Me and Social Path, Lookout’s senior security product manager, Jeremy Linden explained that it primarily distributed through spam via Twitter, WhatsApp and other social platforms with socially engineered messages designed to encourage victims into clicking on a disguised download link.
Once the victim clicks on the link, the App asks permission to access information from the device like including name, email, phone number and even a photo of the user, before connecting to a C&C server and exfiltrating this and other data from the device, Linden explained. He added that this includes contacts, text messages, call logs and device information.
Another unique this about this App is, during installation, the App logo may on the smartphone launcher but it disappears as soon as the installation is complete. Lookout says this is done to hide the malware from the user and antivirus engines. Another interesting thing is that it has ability to to call any number designated by the command and control server and automatically hang up the call as per a timer. However Lookout could not make out why it does that. Linden added,
“We are unsure what the authors use this functionality for, but we’ve seen similar tactics used as a revenue source — malware authors will call premium numbers to collect associated fees and make money. The malware then deletes the call records so as to hide its activities.”
Lookout says that the code analysis by them points to the malware authors/handlers to be of Arabic origin and the App has spread mainly in Lebanon (29%), Sudan (19%) and Oman (11%) through phishing techniques.
Google has removed Save Me from its Google Play after being contacted by Lookout but the APK of the App is still widely available and it is mostly being spread through phishing campaign. Lookout says that the motive of the authors/handlers is not known and that it may be a case of political espionage, financially driven phishing, or something more sinister.
Lookout said that SocialPath has also been spotted doing the rounds disguised as an online reputation management tool.
Google Play has a bad reputation of allowing such malapps on its platform. As a Android smartphone user you have to be extra careful while allowing such Apps to be installed on your phone.
You should always take care to
- Download apps from trusted developers — read reviews, research the developers, make sure you’re choosing a trustworthy product, especially if this tool is promising to help you protect sensitive information
- Don’t download apps from third party marketplaces