Notification

  Latest launch: DarkMatter Cyber Security Report. Click here to read more

08 May 18

DarkMatter identifies app that is stealing personal information

DarkMatter identifies app that is stealing personal information

A critical task for security professionals is to identify never-before-reported and seemingly benign applications designed to steal data. In this blog post we share analysis details of the Emirates Number Directory aka “دليل الهاتف الاماراتي” application, which has the package name: com.androDiv.uaephonebook. At the time of this analysis, Emirates Number Directory was available for download in the UAE’s Google Play Store at the following link:

https://play.google.com/store/apps/details?id=com.androDiv.uaephonebook&hl=ar

This application has been downloaded over 20,000 times in the UAE since 2016, and DarkMatter has discovered the application has different versions that target Arabic-speaking countries.

Package name Targeted country Number of downloads
com.androDiv.uaephonebook UAE 20 000+
com.androDiv.palphonebook Palestine 10 000+
com.androDiv.syphonebook Syria 10 000+
com.androDiv.kwphonebook Kuwait 6 000+
com.androDiv.egyptphonebook Egypt 20 000+
com.androDiv.ksaphonebook Saudi Arabia 60 000+
com.androDiv.yemanphonebook Yemen 20 000+
com.androDiv.brphonebook Bahrain 20 000+
com.androDiv.qrphonebook Qatar 2000+
com.androDiv.jrphonebook Jordan 6000+

 

The application intentionally and silently creates a SQLite database inside the phone, storing within it the full contact list consisting of contact names, phone numbers, and registered emails. In the Palestinian version of the application we found that, additionally, received-SMS were also stored.

This SQLite database is exfiltrated to a controlled server: phonebook[.]site, passing personal data along to unknown actors who may then be put in a position to make use of the information or share it further.

DarkMatter recommends that this application is not installed on devices. We further recommend its urgent removal from any devices should it already have been installed.

DarkMatter will continue to share periodic findings regarding mobile applications that violate user privacy or create security concerns.

DarkMatter has reported this application to Google in the hope that this will minimise the number of people exposed to this software.

Authors

Taha Karim, Lead Security Researcher, Xen1thLabs

Pierre Barre, Senior Security Researcher, Xen1thLabs 

 

To know more or to meet our team visit us at Hack In the Box Dubai from 25-28th November 2018. 


By Taha Karim, Lead Security Researcher, Xen1thLabs
  Back To Blog Listing