Warning: Mobile Privacy Tools "SocialPath" and "Save Me" Are Malware

It’s no secret that almost everyone is part of the internet casino. Whether we like it or not, we are all part of it. That is why it is more important than ever to keep as much data/information private as we can. Many people are looking to utilize various types of privacy tools. One has to stay vigilant, however, because not all of these can be trusted, and having too much blind faith in the wrong tool can backfire.

Such is the recent case of a smartphone app “SocialPath” and its variant that was found directly on Google Play called “Save Me (Contact&SMS).” SocialPath promises its users to manage their online reputation by alerting them whenever a photo of them is uploaded anywhere on the web, while Save Me promises to back-up all the photos, videos, and other data, so that if the phone is lost, the user won’t lose important data along with it. Both of these apps, however, are malware that will infect your device and steal the following:

  • Device contacts
  • SMS messages
  • Detailed call logs (number, date, duration, type, new or old, name, number type, number label)
  • Device information (MAC, carrier, country)

The malware also has the ability to place phone calls to any number directed by the C&C, while also having a built in timer for hanging up – this is presumably included for the purpose of calling premium numbers to create extra revenue for the malware creators.

The malware spreads through a spam campaign through SMS, with messages of the type: “I found your private photos here [link] click to see.”

Main target countries of this malware are Lebanon, Sudan, Oman, Gabon, and Saudi Arabia. Experts from Lookout, a mobile security company that identified the threat, say that they “believe the creators of this malware are likely Arabic-speaking because of clues in the code,” and that “though worldwide prevalence for this threat is low, it is the most commonly encountered piece of malware in many of its target countries.”

To protect yourself against this and other similar types of attacks, Lookout advises the following:

  • Download apps from trusted developers — read reviews, research the developers, make sure you’re choosing a trustworthy product, especially if this tool is promising to help you protect sensitive information
  • Don’t download apps from third party marketplaces