back to article Android app secretly uploads GPS data, warns Symantec

Researchers from anti-virus provider Symantec have outted a gaming application in Google's Android Market that tracks users' whereabouts so they can be secretly monitored in real-time. The free app is known as Tapsnake, which bills itself as an Android variation of a video game that has been around for three decades. What the …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Flame

    Whatever

    Why has this not been pulled already? Where is googles kill switch now? Or are google concerned because they already collect data like this from handsets themselves?

    Anyway:

    1) Getting access to somebodys handset is relatively simple. The uses for this are probably for people in a relationship, so accessing the phone is going be simple enough.

    2) Most normal, non-geeks, will look at the list of "access privileges", and just click yes without understanding them. You can say they should not be in charge of technology but that is 1980's geek thinking that went out of fashion 10 years ago. Go back to your backoffice *NIX boxes.

    1. Tigra 07
      Grenade

      Agree completely with a lot of that AC...

      Not enough people are reading the permissions screen.

      Why would snake need to know your location?

      It's not bloody rocket science!

      1. Giles Jones Gold badge

        Permissions should be locked down by default!

        Go back in time and look at how Microsoft used to provide Windows all enabled and not restricted. Users would then require the skills to lock it all down and make it secure. Firewall included but not activated for example!!!

        You can't rely on the user knowing what all the terms mean. For example: GPS may mean nothing to some people, "Allow this application to monitor and share my location" means something. I've not used the software in question, but Android does seem a bit geeky and "made by techies, by techies".

        Secure by default is better for avoiding viruses, ID theft and the like. Okay, maybe not for tech support people who have to then explain how to enable and unlock things.

        1. Tigra 07
          FAIL

          RE: Giles

          "Secure by default is better for avoiding viruses, ID theft and the like. Okay, maybe not for tech support people who have to then explain how to enable and unlock things."

          The phones are not secure by default because Google could decide at any time to track you and they all have access to the android store

          Any app can start being used maliciously or even updated to do so, including Google Maps if they wanted to.

          So to secure the phone, the only way is to block all aps, internet and downloads

          In which case anyone who can't read is too stupid to own an android smartphone and should keep their old phone

          This leads me to the assumpton Giles that either you don't know anything about android smartphones and how these "permissions" work (hence why you said they were for techies) or you just assumed aswell

        2. T-Unit

          Actually Giles

          Android DOES explain the techy terms. If an app needs permission for location it actually lists it as as "your location course (network)" and "Your location fine (GPS)". Not sure quite how much clearer they could make it

  2. Anonymous Coward
    Anonymous Coward

    Snoop features are disclosed...

    Symantec says that "The Android OS also prominently notifies users installing apps about the types of resources that will be accessed, so marks who install Tapsnake should have some reason to be suspicious if they're paying attention."

    "But Symantec has gone ahead and classified the app as malicious, mainly because its snoop features aren't disclosed."

    So the application installer DOES tell the user that it is going to access the GPS. Me thinks this is more FUD from another anti-virus company seeing their gravy train vanishing into the sunset. It smells like a part of a marketing strategy for Norton Everywhere.

    "The researchers also dinged the app for continuing to run in the background even when a user attempts to kill the app."

    1. nichomach
      FAIL

      Filler required.

      1. The Register said that, not Symantec; reading comprehension fail.

      2. Saying "I may require access to the internet or to GPS" is somewhat different from saying "Hi there! I'm your plastic pal who's fun to be with and I'll be telling an unspecified remote user with a snooping program where you are every few minutes! Thanks, and have a nice day!" - and expecting the average user of a MOBILE PHONE, for ****'s sake, to understand that these may mean the same thing and make an informed decision on that basis is simply stupid.

    2. The Indomitable Gall

      Think like a user...

      The "access to resources" is pretty obscure, and people will always assume that this is what it needs.

      If you want proof, just look at Facebook viruses. They only work because most users don't understand the importance of "send messages on your behalf".

      Moreover, even though the program asks for permission, this is not enough to fulfill legal criteria for "informed consent". The permission was gained while withholding the recipient's intent.

      And if that wasn't enough, reread the article -- the app doesn't close when you exit. Without warning, it continues running in the background. Even if a user is happy with the GPS information being collected for whatever reason, he still has a reasonable expectation to opt out by closing the app.

    3. Claus P. Nielsen
      FAIL

      Assumptions

      You are assuming that all users always install all their own apps.

      That is simply not true.

      I can think of a long list of ways to trick somebody into letting me install a game on their phone for them.

      Just try it - - here let me handle it so I can use my account to pay for it.

      If it runs in the background after it has been opened the first time, then I just need unmonitored access for a minute or so to install the game in an obscure location, run it once and start monitoring the owner of the phone.

      Great tool for stalking.

      So Yes. It is a very good idea to flag this as malware. Informed users can then just ignore the warning (and be monitored by whoever had the chance to change the monitoring settings in the game when they didn't look.

  3. Trevor_Pott Gold badge
    Coat

    Harrumph

    Android users will accept that this is a malicious application and deal with it accordingly. If it were an iPhone app and had made it through the Holy Censurewall, it would be considered a feature, not a bug. (Okay, that’s flame bait because I’m irritable. I retract the statement.)

    Of course, the Holy Censurewall does offer a far better chance that something like this would never be released for public consumption, but periodically apps are missed. I think the existence of apps like this does reveal the need for a middle ground to exist. Something more open, (or at least far more consistent) than the Holy Censurewall, yet not as “wild west” as the full-blown Android Market.

    Perhaps Google should consider tinkering with the market a little such that you can choose to see “vetted” apps or “all” apps. Either that or a App Confidence Rating. Not the crowdsourced star rating that is easily gamed, but a rating similar to the Web Of Trust system. Just for apps instead of websites. Preferably this would be something where minions not only of the Chocolate Factory, but Symantec, Sophos, SANS and whomever else are trustable security types contribute to the ACR.

    I don’t see why we have this whole new platform (smartphones with app stores) but we are making the same mistakes as twenty years ago on the desktop market. Why are “control-freak walled garden” and “free range sanity holocaust” the only two options?

    Yeah, yeah…getting my coat.

    1. Lou Gosselin

      @Trevor_Pott

      "Why are 'control-freak walled garden' and 'free range sanity holocaust' the only two options?"

      Very level headed comments.

      There is no reason that an app market place cannot (or should not) default to providing safe/vetted apps only, as long as it can be overridden by power users.

      The only issue with this (and perhaps a large one), is that if desirable apps are not approved quickly enough, then normal users will be tempted to override protection mechanisms.

      Still, it's definitely better that apple's garden, and illiterate users can still be protected from potential dangers of unrestricted access.

    2. BorkedAgain
      Happy

      "free range sanity holocaust"

      ...gave me my first chuckle of the day, and I thank you for it.

    3. Iggle Piggle

      Agreed

      I am not for the iPhone approach of pulling anything that does not meet exacting standards (or whose developer has cheesed some fruity judge off somehow). However I do think the Android app store should have some controls such as a vetted for Android logo. I also think it would be sensible to at the very least place warnings against applications know to have suspicious behaviour.

  4. Anonymous Coward
    Thumb Down

    All getting a bit Daily Mail

    OK its a malicious App but you have to give it permission to access GPS however you paint the picture. The real story is simply that some people are too stupid to own a smartphone.

    ...and presumably that Symantec are doing the pre-marketing for an Android security suite which will replicate the built-in Android permissions system with colourful pictures, SFX and a constant 30% cpu load, before completely failing to protect if/when a genuine exploit-empowered Trojan or Virus actually surfaces.

    1. Antidisestablishmentarianist
      Flame

      So...

      "The real story is simply that some people are too stupid to own a smartphone."

      Yes, all the stupid sheeple should just get iPhones right? and leave smart people to the 'smart' Android.

      Actually I'm totally happy if that's the case. It means if I ever see someone with an Android phone I'll just avoid them - as they obviously have an overinflated sense of smartness, which as we all know is long hand for fuckwit, or something....

      (I own neither an iPhone or Android owner - just a proud oldskool "it's just a phone FFS" owner)

      1. Lionel Baden
        Thumb Down

        @Antidisestablishmentarianist

        Actually I'm totally happy if that's the case. It means if I ever see someone with an Android phone I'll just avoid them - as they obviously have an overinflated sense of smartness, which as we all know is long hand for fuckwit, or something....

        Thank you ill go buy an Android now

        Your comment is even more obnoxious than the previous poster.

        He actually has a point though, sheeple do not have the knowledge or understanding of what is possible with a modern smartphone

        1. The Indomitable Gall

          @Lionel Badin

          "He actually has a point though, sheeple do not have the knowledge or understanding of what is possible with a modern smartphone"

          There's a slight problem with that statement, I shall try to explain it.

          The smartphone was not designed for "the elite", it was designed for "the masses".

          What is possible with a modern smartphone should have been led by what "the masses" know -- this is the single most important rule in product design.

          Android was written by geeks, as a fork of an OS originally written by geeks, for geeks.

          When you talk to these people about UX they only think UI -- they ignore that the whole system is user space, even though to them it is. They think they can hide the system, and that this will be good enough.

          No, you need an OS designed ground up from the perspective of "dumb user" -- that really means one of the *proper* mobile OSes, not some hacked-up version of a mail-server OS with a colourful screen on top.

          1. Lionel Baden

            @gall

            Sorry it took so long to reply but i tried reading it when i was drunk and my brain imploded

            I understand it better now ...

            i think it all depends on who you beleive the smartphone is developed for.

            i believe it has been designed for the "elite" and then given to the masses.

            The article is basically about how the phone has not been developed with the masses using them properly.

            Its basically a matter of people who have a fundemental understanding of smart phones developing them.

            E.g. if i ask somebody to goto the control panel i would automatically assume they know its in the start menu. That same issue is what were having in the smart phone market.

      2. Anonymous Coward
        FAIL

        @ Antidisestablishmentarianist

        Um... the iPhone IS a smartphone so no... no they shouldn't.

    2. Anonymous Coward
      Grenade

      Or...

      ...you access you partners / work collegues phone while they take a piss. Install the app. And bingo. Instant traking device.

      Chances are they will think they downloaded it sox month ago along with all the other pointless shit that people that own these need.

      Oh look I have a fire on my phone...ohhh look water ripples,...OMG it farts...Ooo look a snake game.

  5. JaitcH
    Unhappy

    Get it straight - the GPS feature is NOT MEANT FOR YOU

    The GPS feature was mandated by the U.S. FCC who thought it would be a handy thing for law enforcement. It can be/is interrogated remotely without cell phone user knowledge or permission.

    The advent of smartphones means that none of us really know what data is being accessed by whom and for what the data is to be used or distributed to. This means ANY data you enter along with ANY DATA acquired by the cell unit in question.

    Until an App appears that allow me to determine who gets what I am more than happy to use my GPS crippled cell (the 'fix' only takes about 10 minutes), along with my tether adapter for my PDA. Cell ID numbers are sufficient for me (living in a country where this data is public).

    Where I am is my business and mine alone, not some nosey Plod who thinks he is entitled to know everything. Remember, also, to practice good cell hygiene by clearing all your registers of missed calls, numbers called, etc. Using more than one SIM also fries Plod minds, as does turning off your cell for 10-15 minutes to clear those nasty crumbs left in memory.

    1. EvilGav 1

      Paranoid much ?

      You are aware of triangulation by using the cell tower(s) your phone is connected too, a feature that will get your position to within 100m or less, depending on the cell density ??

      1. JaitcH
        FAIL

        Triangulation is defective science

        My cell can be programmed to display cell information and it soon becomes very clear that optimum signal paths do not lie either with the nearest cell head end nor follow any logical path due to signal refraction / deflection / multipath.

        When I reside in downtown Toronto there is a cell site a couple of blocks away from my building yet the site my cell phone favours is about 2 kilometres away! Not too useful for location purposes.

        In my country of residence I use a Yagi from my place in the country to reach the nearest viable cell site, and no triangulation is possible.

        You should bar in mind that many others, apart from Plod, have interests in peoples movements and tracking services are available.

        I travel frequently, across international borders, and laptop and cell phones are frequently 'borrowed' by border control for a copy session. Whenever transiting either the Atlantic or Pacific or Europe I make a point of carrying my cells turned off and SIM-free which makes technical copying pointless. I use TrueCrypt on all my drives (mounted or loose), just remember to rename the files to lose the suffix .tc as even Plods can figure out the significance of this. .ISO is a good alternative.

        1. RichyS
          Black Helicopters

          Paranoid android

          Don't tell me, you travel so much because you're being 'followed'.

          Black helicopters icon, obviously.

    2. BorkedAgain
      Coat

      I like your hat.

      Shiny.

    3. Anonymous Coward
      Black Helicopters

      Oh please

      The FCC have asked phone manufacturers to make handsets locatable for handling 911 calls. That doesn't mean all phones must have GPS. The networks can get sub cell location data without switching on the GPS. GPS drains batteries and often doesn't work indoors so is a fairly ineffective means of covert tracking. Plenty of phones don't have GPS and 93% of cell phones are outside the US.

      There are some valid concerns with privacy and smart phones, but if you're that paranoid about being tracked then you'd be better off not having a phone at all.

    4. Anonymous Coward
      FAIL

      #Meant for you...

      > It can be/is interrogated remotely without cell phone user knowledge or permission.

      Point me at the source code which handles this in Android please....thought not.

      It would be a pointless over-effort anyway, since they can just get your position and, more usefully retrospective movements, from the telco without a warrant, as they have always been able to in the UK/US, and presumably everywhere else, since the dawn of cellphones.

      1. Charles 9
        Joke

        Would not be visible.

        "Point me at the source code which handles this in Android please....thought not."

        Of course it wouldn't show up in the Android source code. For all it knows, such a discrete tracking ability is unknown to Android. Look to the chips themselves, where hidden code would be located such that, given the right set of signals, it hooks directly up to the GPS (or taps a GPS unit already contained in the IC) and begins transmitting a coded sequence, all without Android being the wiser since it's a pure hardware link with no OS intervention.

  6. Anonymous Coward
    Big Brother

    Just rebrand it...

    Just rename it "track your teenager".

    Sure it will have both good and bad uses, but so does a bread knife.

    At some point society will have to come to grips with the huge and complex problems created by technology.

    Just like we teach our children to not play with knifes and not talk to strangers we will need to start with "don't click on the attachments"/"don't download random apps" etc. It's simply part of the brave new world we live in.

    1. Anonymous Coward
      Anonymous Coward

      Mixture

      "Just like we teach our children to not play with knifes and not talk to strangers we will need to start with "don't click on the attachments"/"don't download random apps" etc. It's simply part of the brave new world we live in."

      I've been trying to educate my family of this for longer than I care to remember. Perhaps a practical demonstration of why not to use knives by a stranger warning of the dangers of opening attachments/downloading apps is needed.

    2. nation of stupid

      rename it "track your teenager"

      That's the actual purpose of it, and if anyone has actually followed the link to GPS Spy the Tapsnake game is supposed to be one part of the GPS tracking system simialr to zest:trak, not as Symantec claims that it's a separate piece of malware that broadcasts your GPS location to the world at large. As you said, the developer should have just picked a more appropriate name.

      Heck, you don't even need programs installed to be able to track a mobile http://www.traceamobile.co.uk/

      Good idea hiding it in a snake game, it's more likely to stay on the phone and not be deleted when the teenager cleans up the phone memory.

      Of course it's all pretty useless if the phone user turns the GPS off to get the phone to last all day as it's constantly checking it's location.

  7. Doug Glass
    Go

    I didn't realize ...

    ... basements were worth tracking.

  8. Doug Glass
    Go

    Oh Wow !

    You just have too much real world sense and practicality to be able to post "popular" comments here.

  9. Anonymous Coward
    Anonymous Coward

    quote from the ess aitch 1 t s

    Download and install the free Tap Snake game from the Market to the phone you want to spy on. Press MENU and register the Snake with the service.

    Use the GPS Spy app on your phone with the same email/code to track the location of the other phone.

    Nice.

  10. goldcd
    WTF?

    FFS

    I know it's been mentioned below.

    But if you go to the market.

    Select Tapsnake.

    Press install.

    Right at the top it says, with a nice exclamation mark glyph:

    "This application has access to the following:

    Your Location

    coarse (network-based) location, fine (GPS) location"

    It's not hidden.

    Why on earth anyone install a game that mysteriously needs access to your GPS, is beyond me.

    1. Anonymous Coward
      Anonymous Coward

      In all fairness

      One of the advertising providers, possibly AdMob (possibly not) requires GPS and the Internet permission to provide targeted adverts.

      That makes the distinction of whether an application needs those permissions a little more blurry. It may be for ads, it may be to steal your data.

  11. Erroneous Howard

    Lots of apps use GPS

    Plenty of apps use GPS data even for things as simple as uploading scores along with an approximate location. I came across a number of these on the iPhone as well. Most of these though use "coarse" location data, which is only an approximation of the position - I suspect that this other app uses "fine" location data which is much more accurate.

    I'd be suspicious of any app requesting "fine" location data aside from the obvious navigation-type applications.

    btw JaitcH, I can hear the black helicopters.....they're coming for you!

  12. Eponymous Cowherd
    WTF?

    Its the developer that is stupid.

    There are plenty of games formats that may require both Internet and GPS access (so-called Trans-reality games).

    Yet the muppet that crafted this piece of spyware chose a game that obviously *doesn't* need those features.

    Its like wandering down the street carrying a crowbar and bag labelled "Swag" and not expecting Plod to take an interest.

    1. Anonymous Coward
      Stop

      Just don't go above the speed limit !

      If you break the speed limit they will be interested in you. Anything else ? Nope.

      If you must break the speed limit do it at plod teabreak time. They will be going much faster than you, and will be too busy trying to get a hot cup of tea to notice.

      Not a fan of GPS tracking. Yet another example of big brother watching you.

  13. Mike 68

    Who is LESS evil these days?

    Seems like if you want a fancy-phone, your choices are Apple, MS or Google. Is there a decent non-evil smartphone out there?

    1. RichyS

      No-one Finnish can possibly be evil

      How about a smartphone from those nice Nokia people.

      Oh, you said /decent/. Sorry...

  14. Steve Gill

    Simples

    Because they do not understand the risks, or even in most cases understand that there could be a risk.

    When that list comes up they will simply assume it's all fine and required.

  15. Richard Sloan
    Coat

    Snake. Snake! SNAAAKE!

    It is reported you can hide snake's location 100% effectively by hiding him under a cardboard box.

  16. Lloyd
    FAIL

    The problem with Android is

    That it's geared at tech savvy people, unfortunately a lot of the manufacturers are simply seeing it as a cheap way to chuck a smart phone on the market thus we're starting to see a glut of devices out there and many people without the smarts to use them. If I were recommending a smart phone to a generic phone user I'd recommend buying a iPhone so Jobs can nursemaid you, for anyone who knows the difference between a mini usb and micro usb port I'd recommend an Android.

    Incidentally, if I were recommending to someone I didn't like, I'd suggest a Blackberry.

  17. Chris Thomas Alpha
    WTF?

    Isn't it kinda obvious

    that what you do is this

    virus software maker detects a software which uploads GPS data to third party, the app is put through a vetting process to see if it actually does so maliciously, whilst this is done, the app market's key is revoked, putting the app off the market whilst it's investigated.

    the developer can continue to contact google to plead it actually does have a good purpose, google will then respond to activate the key or reject the app permenantly, marking the developers name with a black mark, just in case they try it again.

    I suppose this is why apples process of forcing people to pay money upfront kind of stops people from being naughty(although I'm sure it doesn't stop everyone), cause if you have to pay 100 dollars a year to have a developer key, then most russian virus writers aren't going to be bothered, to pay 100 dollars to get revoked every couple of months might be expensive, so even though the review process from apple is perhaps a bit over the top, the idea of forcing people to pay money upfront for a chance to get banned and blacklisted might be a good idea. even though I'm not happy with the idea of google deciding what you produce.

    So perhaps, in order to get a developer key, you have to pay 100 dollars a year, then if your app is marked malicious, or companies like symantec mark your app as malicious through a "protector of the market affiliate program" then your app goes off the market and gets investigated, if you're clean, it's put back, if you're not, you get banned and have to open another account and pay another 100 dollars.

    it might be a bit centralist, but at least people who believe their app will make MORE than 100 dollars, will still write apps, whereas anyone who seriously thinks it'll just make a couple of bucks will be deterred, hence cleaning up the market from the crap that people write at the same time. But if you write viruses, or malicious apps, you have a heavy price for getting found out.

    so you can still have the free range market, it's just that if you're black marked, you might get revoked, perhaps that could work as a deterrant? or not, meh, I dunno, sounds viable at least.

    although right now, I'm finding it hard to understand why the app is still on the market even though it's doing something a snake game shouldn't be doing. If the app was doing some kind of game matching with players on the train, I might think it's doing it's job, but a snake game with no multiplayer has no real purpose to use the GPS device, should get banned.

  18. dssf
    WTF?

    Packet Monitor?

    Why cannot (other than the recent disclosure) anyone write a simple packet flow meter for lay people or higher? Better yet, a decent data logger.

    It ANY packets mover in or out of the phone, it's logged according to granularity settings. It should monitor the antenna, not just the OS. THis way, if any BS snooping code is in the chips, then going into or out of the antenna might help. The app, service, chip, and other sources or destinations should be identified.

    I'm asking for this not so much out of helicopters in the sky, but crappy applications that keep TRYING to access GPS and cell towers, draining the HELL out of my battery. Not all the apps are miscreants or rogues. I don't have time to cherry-pick to a science each app. So, having an interface that identifies, trends, and reports bad apps.

  19. packetwerks

    This is not a new issue

    I gave a talk at Shmoocon in Feb this year about a game that sends your high-res geo coordinates to the game server every 30 seconds. These coordinates are available to anyone else in the game. I tracked thousands of players for two months and plotted their movements to Google Earth. See here for the video:

    http://www.stratumsecurity.com/blog/2010/02/12/shmoocon-2010-video-online-the-new-world-of-smartphone-security/

    Slides:

    http://www.slideshare.net/packetwerks/the-new-world-of-smartphone-security?from=ss_embed

This topic is closed for new posts.