The SocialPath mobile privacy tool is really a piece of mobile malware that steals users’ data, researchers have warned.
The malware claims to be an online reputation management tool that will alert users whenever their photo is uploaded anywhere on the internet.
In reality, the malware connects to a command and control (C&C) server to which it sends data collected from the device it is installed on, according to researchers at mobile security firm Lookout.
They found the malware has been distributed through popular social networks such as Twitter and WhatsApp, and a variant was also found on Google Play which claimed to back up contact lists.
Lookout alerted Google, and the malicious app – which also claimed to back up mobile content – has since been removed from the official app store.
More on mobile malware
- Mobile malware threats jump 26% in third quarter
- Research reveals widespread mobile app hacking
- Android versus iOS in the enterprise: A whole new ballgame in 2013
- Android versus iOS security: Features, policies and controls
- Reassessing Mac enterprise security in face of Flashback malware
- Android security model doing best to enable mobile malware spread
- How an iOS virus can infect the enterprise and what to do about it
- Smartphone malware: Infections will hit one in 20, study predicts
- Security issues hit Apple as new OS X released
The researchers found the malware also has the ability to call any number designated by the C&C server. The malware automatically hangs up the call according to a timer and deletes the call record.
The purpose of this functionality is not clear, but researchers believe it could be intended as a revenue source by enabling those behind the malware to collect fees from the phones calling premium numbers.
The spying functionality of the malware suggests it could be a political espionage tool or an advanced phishing scheme.
This ties in with the fact SocialPath appears to have been mainly targeted at mobile users in Lebanon and Sudan.
The malware is spread using messages designed to lure victims into clicking a shortened link, which then initiates the download.
One such message said: “I found your private photos here [link] click to see.”
Lookout senior security product manager Jeremy Linden said after looking into a series of Bit.ly links the firm had acquired, the researchers were able to see the campaigns in action.
“One campaign achieved 5,961 clicks with the majority of those clicks in Lebanon. Sudan and Oman followed in second and third place respectively,” he wrote in a blog post.
The EU was in third place with only 7% of the total clicks, while the UK was among five countries with the seventh-largest share of 2% and the US was among five countries with a share of just 1%.
When a victim signs up for the fake service, it requests personal information including full name, email address, phone number, country of residence and a personal photograph.
This data is sent to the C&C server along with other data collected from the device, including contacts, text messages, detailed call logs and device information.
Once the victim is registered the malware deletes its icon on the mobile phone launcher and seems to disappear.
Although worldwide prevalence for this threat is low, Linden said SocialPath shows mobile phone users need to be extra cautious about what tools they use to protect themselves and their data.
He said mobile phone users should always download apps from trusted developers rather than third-party marketplaces, read reviews, research the developers and ensure they are downloading a trustworthy product.