08 May 18
08 May 18
A critical task for security professionals is to identify never-before-reported and seemingly benign applications designed to steal data. In this blog post we share analysis details of the Emirates Number Directory aka “دليل الهاتف الاماراتي” application, which has the package name: com.androDiv.uaephonebook. At the time of this analysis, Emirates Number Directory was available for download in the UAE’s Google Play Store at the following link:
This application has been downloaded over 20,000 times in the UAE since 2016, and DarkMatter has discovered the application has different versions that target Arabic-speaking countries.
|Package name||Targeted country||Number of downloads|
|com.androDiv.ksaphonebook||Saudi Arabia||60 000+|
The application intentionally and silently creates a SQLite database inside the phone, storing within it the full contact list consisting of contact names, phone numbers, and registered emails. In the Palestinian version of the application we found that, additionally, received-SMS were also stored.
This SQLite database is exfiltrated to a controlled server: phonebook[.]site, passing personal data along to unknown actors who may then be put in a position to make use of the information or share it further.
DarkMatter recommends that this application is not installed on devices. We further recommend its urgent removal from any devices should it already have been installed.
DarkMatter will continue to share periodic findings regarding mobile applications that violate user privacy or create security concerns.
DarkMatter has reported this application to Google in the hope that this will minimise the number of people exposed to this software.
Taha Karim, Lead Security Researcher, Xen1thLabs
Pierre Barre, Senior Security Researcher, Xen1thLabs
To know more or to meet our team visit us at Hack In the Box Dubai from 25-28th November 2018.