Cyber criminals have created a fake version of the Sarahah app using a malicious software named DroidJack to spy on and collect sensitive data from Android devices.
Masquerading as a fake Sarahah app, DroidJack helps hackers view contact lists, GPS locations, SMSs and WhatsApp data in targeted devices.
Back in August, we reported on how Sarahah, a new social media app aimed at helping people send personal messages to others while remaining anonymous, notched up as many as 20 million downloads in no time. Even though the app helped people withhold their identities while communicating with others, it later turned out that the app's developers weren't as privacy-conscious as users believed.
Security researcher Zack Julian then revealed that the app contained a functionality 'to send every phone number, email address, and associated names on a device to Sarahah’s servers'. The data mining was being conducted so that the developers could launch a 'find your friends' feature in the future. No such feature has been included in the app so far.
Despite the revelation and a subsequent clarification by Sarahah's creator, the app's security woes are far from over.
Researchers at security firm Zscaler have now identified a fake app which has been created by cyber criminals to exploit Sarahah's popularity across the globe. Hackers created a duplicate Sarahah app which was made available on third party app stores and contained DroidJack, a malicious software using which hackers are able to view contact lists, GPS locations, SMSs, WhatsApp data and other sensitive data in targeted devices.
Once an Android smartphone owner downloads the duplicate app, the app requests admin privileges. Once the rights are granted, the app disappears from the screen but continues to function in the background, running services that will allow DroidJack to take over.
What is DroidJack?
Researchers at Zscaler term DroidJack as a 'sophisticated piece of software allowing users to build Android Trojans with the ability to perform many invasive tasks whilst hiding from the user, including accessing calling numbers, emails and stealing GPS locations'.
The malicious software has been around for a while and is a favourite among hackers for its abilities. Its usage had once become so profound that in 2015, law enforcement officials from Germany, France, Britain, Belgium, Switzerland and the United States had to conduct a joint operation to nab creators and operators of DroidJack across Europe.
Even though the authorities enjoyed some success, DroidJack was back in 2016 in the form of a fake and Trojanised Pokémon Go app being distributed in the wild. While users were still able to play the game, DroidJack worked quietly in the background, stealing SMS messages, call logs, contact lists, browser histories, geolocation data and installed apps. It executed commands remotely to take pictures, record videos, record calls and send SMS messages as well.
What can DroidJack do using the fake Sarahah app?
As per the description offered by researchers at Zscaler, the DroidJack tool in the fake Sarahah app is a near-copy of the one in last year's Trojanised Pokémon Go app.
Once DroidJack is installed on Android devices, it can bind malicious code with any desired APK, delete/add/modify/download/upload files from a victim's device, spy on SMS messages, record phone conversations, read/copy victims' contact lists, take pictures using device cameras, listen in to conversations by taking control over microphones, view browser history, steal a victim's location and record videos, among others.
The malware can also access stored WhatsApp data and remotely make phone calls to anyone on a victim's contact list. All the data it collects and monitors is then transferred to a remote Command & Control server located at an undisclosed location.
What can you do to protect your device from a DroidJack infection?
The first rule that you must follow is to absolutely avoid third party app stores. These app stores contain apps that have failed to get past security controls in trusted app stores like the Google Play Store and contain all kinds of malware, ransomware, and spyware that can infect your phone and compromise your privacy.
'Attackers will continue to target victims by embedding malicious code into any new, popular Android app, as it’s an easy way to quickly widen their attack base. This was the case with Netflix and Pokemon GO. Attackers exploit people’s appetite for new apps and their desire to be the first to have them by offering up fakes before the real versions are officially launched or by mimicking add-on functionality that is not yet available in the official app,' said researchers at Zscaler.