Lookout Discovers SocialPath Malware in Google Play Store

Mobile security vendor Lookout has discovered a variant of the malware SocialPath in Google Play, in an app that describes itself as a ‘reputation management’ tool, which says that it will notify users whenever their photos are uploaded on the Internet. But it actually steals their data.

The Save Me app, which is a variant of SocialPath, claims to save the user’s contacts. The developers of this app also say that they will soon add functions for saving your videos, photos, and other information. When Lookout alerted Google about the presence of this app in Google Play, they promptly removed it from their store.

Privacy tools help users understand what sort of data they are sharing. They help people keep their personal stuff personal. Needless to say, their popularity has surged over the years with the rising number of cyber attacks. So it is particularly shocking when an app that claims to protect your privacy steals your data instead.

The malware SocialPath mainly targets Sudan – a region rife with political turmoil. The authors of this spam campaign distribute it through popular services like WhatsApp and Twitter.

The spam tricks people into clicking a shortened URL. Victims receive messages that claim that their private photos have been discovered online. They are encouraged to click on the shortened URL to see the photos. When unsuspecting victims click on the shortened URL, the malware initiates a download of infected files.

One of these spam campaigns managed to obtain as many as 5,961 clicks. Most of these clicks came from Lebanon. Users in Sudan and Oman have also fallen victims to this campaign.


Photo: Lookout

When the victim signs up for the app’s fake service, it requests personal data, including the person’s full name, phone number, email address, country, and a photo.

As soon as the victim enters the requested information, the BootStartUpReceiver initiates the back end service. The malware also steals the data on the device including SMS messages, device contacts, call logs, and device information. It then connects to the C&C server and sends the personal data obtained from the victim and additional data stolen from the device.

While the victim is entering their personal information, the malware will display its icon on the device’s launcher. When the user completes the registration process, the malware will delete its icon to hide in the phone. It is also capable of calling any phone numbers designated by the C&C.

It is not exactly clear what the authors are trying to achieve with this functionality. However, the same tactics are often used for making money. The authors may dial premium numbers and collect subscription fees. The malware will then hide its activity by deleting the call records.

Some clues present in the code seem to suggest that the authors of this app are Arabic speaking people. Besides Sudan, the malware targets Oman, Burkina Faso, Liberia, Malaysia, and Equatorial Guinea. In fact, it is the most commonly found malware in these countries.

SocialPath could be an advanced phishing scam or an espionage tool. It shows that users need to be cautious about what apps they download and install on their device.

Smartphone owners should download only trusted applications. Also, it is best to avoid downloading applications from third party marketplaces.