mobilesecurity.com [London, UK] We’ve all had problems with the battery on our smartphone dying at the most inappropriate moment. You’re late for a meeting at the end of the day; need to let someone know your train is delayed; forgot to cancel the milk when venturing overseas on a business trip. Any app that offers a solution to this perennial problem is bound to be popular, so it’s no great surprise that battery-saving apps are being used by cybercriminals to target vulnerable Android users.

Recently, Japanese spam has been trying to lure users into clicking on a link included in a spam email to download and install a malicious app. The app’s entire raison d’etre is to extract details stored in the phone’s Contacts database. It takes names, phone numbers and email addresses, sends the data to an external website and actually performs no power-saving actions whatsoever.

We’ve highlighted permissions as being an area that every Android user should take note of to reduce the chance of their privacy being compromised, and this example illustrates the point better than many other cases. This app only requests two permissions when it installs, and the developer may have limited the permissions as much as possible so as to not draw any suspicion. But the permissions are required to perform the exfiltration: First, the permission to read the information stored in Contacts to acquire the personal data; and second, access to the Internet in order to upload the data to a server.

There’s a simple lesson to be learned here – as well as taking a look at the number of permissions an app is requesting, it’s vital that you pay attention to what those permissions are trying to do on your smartphone. Think about why a battery-saving app might need to access your contacts – that’s the real killer here. You can find out more from Joji Hamada’s article on the Symantec Security Response blog.