Several of the most popular Android apps are skimming usersâ€™ phone numbers, e-mail addresses and other data and uploading it to third party servers that belong to companies specialized in advertising to Android users, according to a Bitdefender analysis.
Paradise Island, Love Calculator, Samsung TV Media Player are among the popular apps that have adopted this practice, taking sensitive user data and uploading it to adware services such as Airpush, Jumptap, LeadBolt, Aarki and more.
This can be a concern because information such as user profiling and location tracking can be used by companies to better serve ads to a targeted demographic for marketing campaigns.
As part of our ongoing research into mobile apps and concerns surrounding privacy and security, Bitdefender presents here some of the findings on specific popular Android apps:
Taking a closer look at Paradise Island from Game Insight International, our research team discovered that it uploads usersâ€™ phone number and email address to AirPush.com, sends the devicesâ€™ unique identification code (International Mobile Equipment Identity or IMEI) to Aarki.net, and uploads the current location on a remote server by using Jumptap.
Aarki, JumpTap and AirPush are mobile ad platforms that enable developers to get more control over mobile campaigns by managing ad placements and helping them to generate more revenue.
For a simulation game thatâ€™s all about building a virtual empire, Paradise Island collects private and unique user data that it doesnâ€™t need to perform adequately. The Permissions tab in Googleâ€™s App Store does state that Paradise Island can â€œRead Phone State and Identityâ€ so that it can pause when receiving a phone call, but thereâ€™s no reason for it to upload a userâ€™s phone number to AirPush.
With more than 10 million installs and more than 63,000 user ratings, itâ€™s safe to assume that a large user database is being created.
Love Calculator (animated!!)
Another game that uploads usersâ€™ phone number location and Unique Device Identifier to the internet is Love Calculator (animated!!) by developer NoAim. Our analysis found the app uses mobile ad network Leadbolt that can send spam notifications. It also places spam icons on a phoneâ€™s home screen.
Closely examining the Google Play Permissions tab, youâ€™ll notice that it also uses â€œCoarse (Network Based Location)â€, â€œFine (GPS) Locationâ€, and it can â€œAccess Extra Location Provider Commandsâ€. Google warns that such features could be used by malicious apps.
â€œMalicious apps may use this to determine approximately where you are,â€ says the Google Play Permissions tab for Love Calculator. â€œAccess coarse location sources such as the cellular network database to determine an approximate phone location, where available. Malicious apps may use this to determine approximately where you are.â€
Love Calculator also asks for permission to check the list of accounts stored on the phone or tablet, although the app requires users to input names and not to select them from a friends list.
Surprisingly, the app requests permission to automatically start at boot, as soon as the system finishes loading. Not only could this significantly slow down a phoneâ€™s performance, itâ€™s also an odd behavior for an app thatâ€™s supposed to tell you â€œhow deep the love between you and your partner isâ€.
Samsung TV Media Player
The app enables users to stream media files from their device directly on their Samsung TV through their local Wi-Fi network. However, a ZappoTV account is required and our investigation revealed that account login passwords are broadcasted to Zappoâ€™s website with no encryption, putting user data at risek.
Beyond the appâ€™s collection of device ID, using unencrypted passwords makes it easy for an attacker to spoof your data and log in to your account and access your photo and video history. Â Depending on what type of content youâ€™re streaming on your TV, personal information could be vulnerable to prying eyes.
Using the same location-tracking features that Google believes â€œmalicious apps may useâ€, and accessing the list of accounts known by the tablet, Samsung TV Media Player can also â€œread from the system’s various log filesâ€.
â€œThis allows it to discover general information about what you are doing with the tablet, potentially including personal or private information,â€ according to the appâ€™s Permission tab on Google Play.
While having such access is required if users want to delete their viewing history, clear parameters on what the app can and cannot access need to be set in place, to avoid tapping into sensitive information.
Although itâ€™s not as popular as the previously mentioned Paradise Island, the Hexa Blast puzzle game behaves in the same way by uploading usersâ€™ IMEI through Flurry Analytics, phone number, location, and others to the Internet.
Spam notifications and spam icons are also a packet deal with Hexa Blast, and the same aggressive location tracking techniques are built in. Removing the app wonâ€™t automatically remove shortcuts on your home screen that redirect to other sponsored games nor will it restore your default search engine after replacing it with Searchmob.com.
Android apps â€“ from the extremely popular to the innocuous apps nobody seems to have ever heard of – can have services and permissions that might compromise user privacy.
Checking Android app permissions before actually installing them is always the best policy. Â However, if youâ€™re using a mobile antivirus solution youâ€™ll always be notified of aggressive adware, malware, and apps that behave the way they shouldnâ€™t.