4 February 2015
Despite technological advancements, most of our online experience is built on trust. We trust that app stores like Google Play will weed out the baddies, and we trust security companies to keep us safe. In January, researchers at Lookout discovered a case where both of those assumptions proved false, when malware snuck onto Google Play disguised as a secure backup service called SaveMe.
Save Me From SaveMe!
SaveMe slipped into the Google Play Store, posing as a service to backup the contacts on your phone. But according to a blog post from Lookout’s Jeremy Linden, it’s actually a variant of another piece of Android malware called SocialPath. Like SaveMe, SocialPath disguised itself as a piece of security software.
The SaveMe malware takes a two-pronged approach to nabbing victims’ personal information. The first is a social engineering angle, where the app prompts users for their full name, email, phone number, and a photo. Meanwhile, the app is also secretly swiping victims’ contact list, SMS messages, and device information such as the MAC address, wireless carrier, and more. The malicious app also nabs the victims’ call log, which shows the numbers called, the date and time of the call, the contact information associated with the call, and more information.
Lookout also notes that SaveMe can call numbers and then hang-up after a pre-determined period. This is a bit odd when compared with the rest of SaveMe’s activity, which closely resembles a spy app. “We are unsure what the authors use this functionality for, but we’ve seen similar tactics used as a revenue source,” explained Linden in his blog post. “Malware authors will call premium numbers to collect associated fees and make money.”
Though it’s since been removed from Google Play, many likely fell for the scam. When observing one spam campaign designed to spread the malware to new victims, Lookout said they tracked some 5,961 clicks on the campaign’s malicious links.
Most of our SecurityWatch readers aren’t likely to encounter SaveMe, as it is primarily targeted at Lebanon, Sudan, and Oman. It’s also no longer in Google Play, so it’s much harder to simply stumble across.
Though Google didn’t catch this particular malicious app, that’s no reason to give up on the Google Play store. It’s been fooled before and will be fooled again, but it’s still the best first line of defense against malware. Definitely do not install Android apps from third party marketplaces. However, Lookout advises Android users to stick with known, trusted developers–even in the Google Play store.
Source – http://securitywatch.pcmag.com/mobile-security/331685-mobile-threat-monday-saveme-malware-infiltrates-google-play