A privacy tool formerly available on Google Play has turned out to be malware designed to steal sensitive data, according to the security company Lookout.
Variants of SocialPath malware variously claimed to be a service for saving your contact data or for alerting you when a photo you own is uploaded to the internet.
The malware was found to be targeting Lebanon, Sudan and Oman, among other places.
Jeremy Linden, security product manager at Lookout, said: "When you sign up for the fake service it requests a bulk of personal information including the victim’s full name, email address, phone number, country of residence, and a personal photograph."
"The BootStartUpReceiver then initiates the backend service, connecting to the command and control (C&C) server, to which it exfiltrates this personal information along with additional data it surreptitiously collects from the device."
Other data stolen included device contacts, text messages, call logs and device information, with the malware also having the capability to call up numbers chosen by the hackers and hang up after a set time, a tactic Linden said his firm had seen used to rake money off premium phone number scams.
The malware was said to be distributed through spam campaigns running on social networks such as Twitter and WhatsApp, using shortened URLs to disguise the malicious download links and messages claiming to have found private photos online.
"We believe the creators of this malware are likely Arabic-speaking because of clues in the code," Linden said, adding that though the malware was rare throughout the world, it was the most commonly encountered virus in many of the countries targeted.
"Whether a political espionage tool or an advanced phishing scheme, SocialPath shows that consumers need to be extra cautious about what tools they use to protect themselves and their data," he said.