Is “Private number” really private? Apparently not…

This week, the AVG Mobilation™ research team found a new PUP (Potential Unwanted Program) named ‘441 Israel’ targeting Israeli users.

After our Security research team reported this to Google, it suspended the developer and removed the application.

The finding and analysis was done with the help of an independent security researcher named Avri Schneider.

 

Details:

The application was available to download from Google Play (called ‘Android Market’ till recently) and allows the reverse lookup of Israeli phone numbers.

 

“under-the-hood”, the application utilizes the above mentioned web-service to do its queries.

The application requires the user to grant it access to the user’s contact list, as well as access to the internet, upon installation of the application.

 

Once installed, the application harvests all contacts of the user, and sends them over FTP to a server hosted in Houston, Texas, USA by ‘GoDaddy’.

The data sent by the application, in addition to contact lists of the user, includes the IMEI number of the android device – and is stored on the server’s database to allow listing of a particular devices contact list.

The same server acts as an HTTP server, accepting queries from the application to perform reverse lookup requests.

For example here we can see the info he tries to get out of the device:

 

In addition to the fact that the application does not inform its user  that it issending the user’s entire contact list to the server, there is the issue of the server’s security practices employed in protecting this private data.

The server includes an administration management interface, and allows the administrator (author of the application) to search/add/edit/remove entries from the database.

The source tree on the server included database dumps in the form of .sql files, of the various database tables, including the users table (holding the login credentials for administrator user).

The records could include personal information, for example, banks and ATM related information, entrance and car alarm codes, passwords, police and governmental records and more.

The information can be used social engineering targeted attacks and for other malicious purposes.