| Researchers January 6, 2015


January 6, 2015

The privacy tool that wasn’t: SocialPath malware pretends to protect your data, then steals it

By Jeremy Linden

SocialPath
Today, privacy tools are of increased importance. They help people understand what kind of data they're sharing and can help keep your personal information personal.
So it's particularly egregious when a piece of malware pretends to protect a person’s privacy and, instead, steals their data.
SocialPath-spamLookout recently discovered SocialPath, a piece of malware that advertises itself as an online reputation management tool. It claims that it will alert its users any time their photo is uploaded somewhere on the Internet. Instead, it steals the victim’s data.
We found one variant associated with this family in Google Play. We alerted Google to the malware and it has since been removed. This app offers a slightly different service -- it promises to act as a backup service saving your contacts. It says it will also soon add features for saving your photos, videos, and other data "so if you lose your phone, you will not lose its contents." SocialPath targets Sudan predominantly -- a region that has been rife with political unrest since the country split when an oil-rich South Sudan seceded.
It is distributed through spam campaigns through popular social networks such as Twitter and WhatsApp. The spam uses enticing language to get people to click a shortened link, which then initiates the download. One spam campaign messaged individuals saying, “I found your private photos here [link] click to see.”
After looking into a series of Bit.ly links we acquired, we were able to see these campaigns in action. One campaign achieved 5,961 clicks with the majority of those clicks in Lebanon. Sudan and Oman followed in second and third place respectively.
SocialPath-spam-links
When you sign up for the fake service it requests a bulk of personal information including the victim’s full name, email address, phone number, country of residence, and a personal photograph. The BootStartUpReceiver then initiates the backend service, connecting to the command and control server, to which it exfiltrates this personal information along with additional data it surreptitiously collects from the device that includes:
  • Device contacts
  • SMS messages
  • Detailed call logs (number, date, duration, type, new or old, name, number type, number label)
  • Device information (MAC, carrier, country)
Initially, when the victim is registering, the malware displays an icon on the phone’s launcher. However, once the registration process is finished, the malware deletes its own icon to otherwise hide on the phone.
Oddly, it also has the ability to call any number designated by the C&C and automatically hang up the call according to a timer. We are unsure what the authors use this functionality for, but we’ve seen similar tactics used as a revenue source -- malware authors will call premium numbers to collect associated fees and make money. The malware then deletes the call records so as to hide its activities.
We believe the creators of this malware are likely Arabic-speaking because of clues in the code. In addition to Sudan, SocialPath targets Oman, Equatorial Guinea, Burkina Faso, Liberia, and Malaysia. And though worldwide prevalence for this threat is low, it is the most commonly encountered piece of malware in many of its target countries.
Whether a political espionage tool or an advanced phishing scheme, SocialPath shows that consumers need to be extra cautious about what tools they use to protect themselves and their data.
You should always:
  • Download apps from trusted developers -- read reviews, research the developers, make sure you’re choosing a trustworthy product, especially if this tool is promising to help you protect sensitive information
  • Don’t download apps from third party marketplaces

Author

Jeremy Linden