Pathao steals SMS, Phonebook, App List, and more from users

Pathao is a very popular Uber-style ride-sharing service based in Bangladesh. Pathao is a local startup backed by local Bangladeshi entrepreneurs, so they have a better understanding of the market than their competitors (Uber). Their marketing campaigns, despite being controversial at times, have been highly successful and they have established themselves as the main competitor to Uber in Bangladesh.

Recently I noticed that when I install Pathao on my Android Oreo smartphone, Pathao asks for SMS and Contacts permissions through the Android runtime permission interface. This is very unusual, and definitely not something a “ride-sharing” app would need. So as a head to toe InfoSec enthusiast, I decided to take a deeper look into Pathao and see what information is being transferred from my smartphone.