When thousands of public sector workers in Syria tried to collect their salaries during Eid El-Fitr this April, many found themselves locked out of a glitchy app they were instructed to download just months earlier. 

The app—Sham Cash—is now the Syrian government’s chosen method to disburse wages, pay bills, and transfer funds. But users say it doesn’t work, and worse, experts warn it’s far from secure.

The Sham Cash app, now mandatory for public sector employees, raises urgent concerns about digital security. 

In January, Syrian public sector workers were quietly instructed to download an app called “Sham Cash” to receive their salaries. 

Sham Cash can only be downloaded via the app’s website and is unavailable on the iOS store. This means that the application is not secure, as apps listed on official stores must pass stringent security verification tests. 

Media reports from January also indicate that the app is linked to transfers arriving from “Cham Bank” in Idlib—a money exchange office registered in Turkey with no international recognition. Funds transferred via Sham Cash do not pass through the Central Bank of Syria nor the global banking system.

By April, it became mandatory. The app, however, is marred with technical dysfunction, questionable financial links, and a troubling lack of transparency. As frustration mounts among users, SMEX’s Forensic Analysis Unit investigated what’s really going on.

Unknown Developer Behind Sham CashThere is no publicly available information about the company behind Sham Cash, raising serious concerns about transparency and accountability. Without a known or registered developer, there is no entity to hold responsible in the event of data breaches, fraud, or financial loss. 

The app also lacks clearly stated Terms of Use, a Privacy Policy, or any indication of its legal jurisdiction—making legal recourse virtually impossible.

Because Sham Cash is not linked to a legitimate or verifiable company, its security protocols cannot be assessed, significantly increasing the risk of malware or spyware compromising users’ devices. 

Without an officially listed owner, there is no way of tracking and monitoring any misuse or sale of sensitive user data, including personal details, financial information, and transaction histories.

“The key issue in our analysis is that the parent company behind the app is unknown,” says Madleine Belesi, a member of SMEX’s Forensic Analysis Unit. “This poses a major human rights risk because users cannot hold it accountable.”

Personal DataFinancial transactions require the collection of highly sensitive personal data. In the case of Sham Cash, there is no clear policy explaining how this data is stored, who manages it, or whether it may be shared with third parties such as government agencies, foreign financial institutions, or analytics firms.

To create an account, users must provide their full name, national ID number, bank account number, and contact information—standard requirements for legitimate financial services. 

However, the official Sham Cash website does not specify who has access to this information beyond the app itself. It also fails to offer a comprehensive privacy policy or any detailed explanation of how data is collected, stored, or shared.

“App design seems to ensure relatively secure data transmission between the server and the user,” says Balesi, “but it has a very ambiguous internal architecture. This could mean it’s a covert surveillance tool used to collect and exploit data, and it potentially enables state-sponsored spying.”

Permissions and Data EncryptionSham Cash encrypts user data using the Advanced Encryption Standard (AES), a widely used encryption method. However, the AES key is itself encrypted using the RSA algorithm and then sent to the server. 

Because the server holds the private RSA key, it can decrypt the AES key at any time—meaning it has full access to user data whenever it chooses.

In short, Sham Cash’s server can decrypt and access all user data at will.

The app also requests access to the phone’s camera, supposedly to scan QR codes. However, this permission allows the app to view everything the camera sees—including images, videos, and other potentially sensitive content. 

While this might seem harmless, flaws in the app’s exported receivers (components that handle system broadcasts like push notifications) and weak security controls could allow malicious apps to exploit these vulnerabilities. This could enable them to activate the camera without user consent, intercept camera data, or alter what’s seen.

There is no clear information on whether Sham Cash records or stores camera data, raising serious concerns about surveillance and misuse. Users are advised to allow camera access only while actively using the app and revoke it immediately afterward.

The app also requires push notifications to be enabled. While this is a common feature, poorly secured exported receivers could allow malicious actors to send fake notifications, tricking users into clicking harmful links or initiating unintended actions within the app.

Additionally, Sham Cash can override the phone’s auto-lock feature—a setting often exploited to track user activity and drain battery life. It also automatically receives permissions to use the fingerprint sensor, monitor network statuses, and establish internet connections.

While some of these permissions are expected for financial apps, such as internet access or biometric authentication, they become troubling in the absence of transparency. Without clear data-handling policies, users have no way of knowing whether the app is collecting analytics, tracking behavior, or engaging in unauthorized network activity.

Finally, SMEX’s forensic analysis identified several unidentified permissions within the app. Users are not informed of what these permissions entail or to whom they apply. Without proper restrictions, the app could receive system-wide broadcasts—functions that typically notify users about updates or restarts. These could be exploited to continuously monitor users or even allow attackers to hijack the broadcasts, manipulating users into taking actions that serve malicious purposes.

Third Parties and the Privacy PolicyAlthough the company behind Sham Cash remains officially unknown, SMEX has received information suggesting that it may have been developed by a Turkish company called NorthSoft, which specializes in programming and tech solutions. However, there is no publicly available information about this company’s involvement or any third-party services connected to the app’s operation.

Sham Cash lacks a proper privacy policy, and its Terms of Use do not meet standard data protection guidelines. This absence of transparency creates significant risks for users and opens the door to potential fraud and abuse. Users are not informed about how their data is collected, stored, shared, or protected—nor are their rights clearly outlined.

In fact, no privacy policy is published on the Sham Cash website. Instead, users are presented with a list of nine vague Terms of Use that essentially absolve the app of any responsibility in cases of fraud, technical failure, or data loss. These terms also allow ShamCash to deactivate user accounts without notice. The ninth term explicitly states:

“We reserve the right to change or amend this agreement at any time, without the obligation to notify you. Announcing the changes, in the manner we deem appropriate, will suffice. By continuing to use the app, you accept all such changes.”

These terms indicate a disregard for user consent and control over personal data. Based on SMEX’s forensic risk assessment scale, Sham Cash scored 17 out of 22 (22 indicating the highest level of risk). 

Due to its technical vulnerabilities, opaque policies, and lack of safeguards, SMEX does recommend using the app.

Given these findings, Syrian authorities should not adopt Sham Cash as the official platform for disbursing public sector salaries—at least not until the app significantly improves its privacy practices, data encryption protocols, and overall reliability. 

Users have already reported technical issues preventing them from accessing or managing their funds, reinforcing the need for authorities to ensure that any adopted platform is stable and user-friendly.

Most importantly, transparency is non-negotiable. Syrian citizens have a right to know which company developed the app, under which legal jurisdiction it operates, and how it handles user data. A clearly stated and accessible privacy policy is essential to protecting user rights and ensuring informed consent in every aspect of app usage.

The post Sham Cash Under Scrutiny: A Forensic Analysis of Syria’s New E-Wallet appeared first on SMEX.