Popular Android Apps Surreptitiously Skimming Sensitive Data and Uploading to Adware Services
Several of the most popular Android apps are skimming users’ phone numbers, e-mail addresses and other data and uploading it to third party servers that belong to companies specialized in advertising to Android users, according to a Bitdefender analysis.
Paradise Island, Love Calculator, Samsung TV Media Player are among the popular apps that have adopted this practice, taking sensitive user data and uploading it to adware services such as Airpush, Jumptap, LeadBolt, Aarki and more.
This can be a concern because information such as user profiling and location tracking can be used by companies to better serve ads to a targeted demographic for marketing campaigns.
As part of our ongoing research into mobile apps and concerns surrounding privacy and security, Bitdefender presents here some of the findings on specific popular Android apps:
Taking a closer look at Paradise Island from Game Insight International, our research team discovered that it uploads users’ phone number and email address to AirPush.com, sends the devices’ unique identification code (International Mobile Equipment Identity or IMEI) to Aarki.net, and uploads the current location on a remote server by using Jumptap.
Aarki, JumpTap and AirPush are mobile ad platforms that enable developers to get more control over mobile campaigns by managing ad placements and helping them to generate more revenue.
For a simulation game that’s all about building a virtual empire, Paradise Island collects private and unique user data that it doesn’t need to perform adequately. The Permissions tab in Google’s App Store does state that Paradise Island can “Read Phone State and Identity” so that it can pause when receiving a phone call, but there’s no reason for it to upload a user’s phone number to AirPush.
With more than 10 million installs and more than 63,000 user ratings, it’s safe to assume that a large user database is being created.
Love Calculator (animated!!)
Another game that uploads users’ phone number location and Unique Device Identifier to the internet is Love Calculator (animated!!) by developer NoAim. Our analysis found the app uses mobile ad network Leadbolt that can send spam notifications. It also places spam icons on a phone’s home screen.
Closely examining the Google Play Permissions tab, you’ll notice that it also uses “Coarse (Network Based Location)”, “Fine (GPS) Location”, and it can “Access Extra Location Provider Commands”. Google warns that such features could be used by malicious apps.
“Malicious apps may use this to determine approximately where you are,” says the Google Play Permissions tab for Love Calculator. “Access coarse location sources such as the cellular network database to determine an approximate phone location, where available. Malicious apps may use this to determine approximately where you are.”
Love Calculator also asks for permission to check the list of accounts stored on the phone or tablet, although the app requires users to input names and not to select them from a friends list.
Surprisingly, the app requests permission to automatically start at boot, as soon as the system finishes loading. Not only could this significantly slow down a phone’s performance, it’s also an odd behavior for an app that’s supposed to tell you “how deep the love between you and your partner is”.
Samsung TV Media Player
The app enables users to stream media files from their device directly on their Samsung TV through their local Wi-Fi network. However, a ZappoTV account is required and our investigation revealed that account login passwords are broadcasted to Zappo’s website with no encryption, putting user data at risek.
Beyond the app’s collection of device ID, using unencrypted passwords makes it easy for an attacker to spoof your data and log in to your account and access your photo and video history. Depending on what type of content you’re streaming on your TV, personal information could be vulnerable to prying eyes.
Using the same location-tracking features that Google believes “malicious apps may use”, and accessing the list of accounts known by the tablet, Samsung TV Media Player can also “read from the system’s various log files”.
“This allows it to discover general information about what you are doing with the tablet, potentially including personal or private information,” according to the app’s Permission tab on Google Play.
While having such access is required if users want to delete their viewing history, clear parameters on what the app can and cannot access need to be set in place, to avoid tapping into sensitive information.
Although it’s not as popular as the previously mentioned Paradise Island, the Hexa Blast puzzle game behaves in the same way by uploading users’ IMEI through Flurry Analytics, phone number, location, and others to the Internet.
Spam notifications and spam icons are also a packet deal with Hexa Blast, and the same aggressive location tracking techniques are built in. Removing the app won’t automatically remove shortcuts on your home screen that redirect to other sponsored games nor will it restore your default search engine after replacing it with Searchmob.com.
Android apps – from the extremely popular to the innocuous apps nobody seems to have ever heard of – can have services and permissions that might compromise user privacy.
Checking Android app permissions before actually installing them is always the best policy. However, if you’re using a mobile antivirus solution you’ll always be notified of aggressive adware, malware, and apps that behave the way they shouldn’t.