A few months ago, the Android enthusiast downloaded a game promoted by Amazon as the free app of the day. “I didn’t really think anything of it, but after I ran the game, strange things started happening on my phone,” he explained via email.
For example, notifications began appearing for things not installed on his phone. “Then within about 30 minutes of installing, playing and then putting the phone away, I received a text message confirmation that I had subscribed to some sort of paid SMS service for US$5.99 a month,” he said.
“Of course, I hadn’t subscribed to the service,” he said. “In fact, I hadn’t even sent an SMS message myself the entire day.”
What happened? Brandt had given the app permission to send SMS messages when he installed it – ostensibly, so he could share high scores and other content about the game with friends and other players. But the app abused the privilege and sent an SMS message, using a method outside the normal messaging app on the phone to auto-subscribe him to the premium service.
Brandt’s case was quickly remedied by his carrier and Amazon immediately pulled the app from its online store. But the problem of mobile apps sticking their binary noses where they ought not to is growing. And according to a study by Bitdefender, it’s an affliction significantly affecting both the Android and iOS worlds.
After analysing more than half a million free apps on both platforms over the last year, Bitdefender found “applications are equally invasive and curious on iOS as on Android, even though one may argue that one of the operating systems is safer”.
The study suggests, that the ‘walled garden’ Apple has erected around its mobile ecosystem may have some cracks in it. “Surprisingly enough, iOS applications matched the ones written for Android,” Bogdan Botezatu, a senior e-threat analyst with Bitdefender, said in an email.
“Advertisers’ main goal is getting hold of user data regardless of platform, and will often go as far as the platform allows them to go,” he said.
For instance, more than 45 percent of iOS apps contain location-tracking capabilities, compared to about 35 percent for Android apps, the study noted.
Bitdefender found that 7.69 percent of Android apps could access contacts stored on a phone, and 18.92 percent of iOS apps did the same thing.
Although a portion of the Android apps could leak device IDs, email addresses and phone numbers, Apple has plugged those holes in its ecosystem.
About 15 percent of Android apps may leak device IDs about a handset, the Bitdefender study said, while almost six percent may leak email and more than eight percent may leak phone numbers.
While iOS apps could technically leak device IDs, emails and phone numbers, Bitdefender’s Botezatu explained, Apple routinely rejects such apps when it reviews them for suitability for its app store.
“Apple has had long-standing, strict policies in place,” Jeremy Linden, a security product manager for Lookout, said in an email. “While Google Play has policies regarding ad behaviour, they aren’t as rigorous as Apple’s.”
In addition, Apple intensely enforces its policies. “Apps have to be reviewed before they are published,” Linden explained. “This makes publishing an iOS app more cumbersome, but does help enforce some of the policies Apple sets.”
Apple did not respond to a request for comment.
According to TrendMicro, almost one in four mobile Android apps contains malware or the kind of premium subscription scam that infected Brandt’s phone. “Those apps not only exfiltrates your credentials, but [can] send text messages and access websites that you get billed for through your telco provider,” Tom Kellermann, vice president of Cyber Security for Trend Micro, said in an interview.
“It’s a great way to milk someone,” he continued, “because they’ve downloaded an app that, unbeknown to them, steals their credentials and contact lists and forces them to use premium services.”
Although the use of aggressive adware is a growing problem in the mobile world, it isn’t new. “It’s a problem that’s been around forever,” Dirk Sigurdson, director of engineering for Rapid7′s Mobilisafe , said in an interview. “PCs have always had this problem, as well. Adware has always collected information from users to tailor ads for them.
“At least with mobile, you can see what your apps are accessing,” he added.
by John P Mello Jr, CSO (US)