Free Android Apps Secretly Talk To Ad, Tracking Sites - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Mobile // Mobile Applications
Commentary
5/4/2015
01:11 PM
Eric Zeman
Eric Zeman
Commentary
100%
0%

Free Android Apps Secretly Talk To Ad, Tracking Sites

Researchers are warning about misleading Google Play app behaviors and are calling for more visibility into Android applications' connection policies.

Samsung Galaxy S6 Edge: Night At The Museum
Samsung Galaxy S6 Edge: Night At The Museum
(Click image for larger view and slideshow.)

Android apps have lots of secrets. They enjoy reaching out to ad-related, user-tracking, and even malware-hosting Web sites behind your back. Free apps are especially prone to these behaviors. Researchers believe such practices need to be exposed, so they've generated a plan to do just that.

There are a number of different ways to score apps for your smartphone. The two biggest are of course the Apple iTunes App Store for iPhones and Google's Play Store for Android phones. Microsoft and BlackBerry host their own stores for their respective platforms, too, but they are much smaller in scale.

Apple is famously strict in its app review practices in order to create a better experience for end-users. Google is more laissez-faire in its approach and (perhaps) places too much trust in app developers. The result leads to a wide range of apps with an even wider range in quality. Google weeds out truly malicious apps, but leaves many that exhibit questionable behaviors free and open to all.

"The lack of oversight in Android Play Store makes it all too easy for end-users to install applications of dubious origin, or those which silently carry out activity that might not be seen favorably by the user," wrote Eurecom lead researcher Luigi Vigneri.

(Image: mammela via Pixabay)

(Image: mammela via Pixabay)

Vigneri's team developed a system for tracking what apps do when no one is paying attention.

What they learned is discomforting.

The team downloaded some 2,000 free apps from each of the 25 app categories listed in the Play Store. The team ran the apps on a Samsung Galaxy SIII and monitored all the traffic generated by them on its own server. Specifically, the team wanted to see what urls the apps were reaching. The team then compared the contacted urls to those known to serve ads, track users, and host malware.

The top 2,000 apps reached out to 250,000 different urls. The researchers admit that most apps are connecting to only a small number of ad and tracking sites, but others apps aren't so shy about talking to anyone about anything.

Take an app called Music Volume Eq, for example.

This app helps users control the audio playback volume on their handset. Such an app has no need to use the Internet at all, let alone connect to ad servers, but boy does it ever.

"We find the app Music Volume EQ connects to almost 2,000 distinct URLs," according to the researches. This app is not a unique example. Of the top 2,000 apps, about 200 attempted to reach 500 urls each. Nine out of the top ten most-frequently-contacted sites are Google-run ad services. That says a lot.

[Read about Android for Work.]

A smaller number of apps connected to user-tracking sites. The researchers found fully 70% of apps don't contact tracking sites at all. The remaining 30%, however, make quite a show of it. Some connected to more than 800 sites that track users. Stunningly, Google said many of these 800 sites are those of top developers.

Even fewer apps connect to sites hosting malware.

"Our results underscore the need for a tool to provide users more visibility into the communication of apps installed on their mobile devices," according to Vigneri.

In other words, Eurecom's intentions aren't entirely altruistic here. The team hopes to release an app in the days ahead that lets users more easily track what their apps are doing in the background.

"With our application, end-users are able to understand the different domains the application is communicating with, which enables them to make informed decisions about the desirability of the applications they install," they said.

We've seen this type of pitch before: Create some FUD, then provide an app or service to dispel that FUD (Kaspersky, anyone?)

Businesses should maintain full control over what apps employees are downloading and installing on their handsets, which should be relatively easy given today's mobile device management tools.

Eric is a freelance writer for InformationWeek specializing in mobile technologies. View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tjgkg
50%
50%
tjgkg,
User Rank: Ninja
5/5/2015 | 10:03:18 AM
Re: Dormancy Tests
I sort of wonder how many users really care about what access an app has to their smartphone. If you look at the permissions requested when the app is installed, you see how many permissions are requested that are really not needed for the app. It is scary to think of how much information is avaialabe to people behind the apps.
RetiredUser
50%
50%
RetiredUser,
User Rank: Strategist
5/4/2015 | 9:00:39 PM
Dormancy Tests
This is a great setup and a much needed lab exercise. I think the potential for exposing apps with dormant malice through this model is great, too, if the exercise could be extended to months of study.  Some programs are set to sleep and only after a set duration awaken and begin executing tasks that are ultimately malicious.  With this lab, researchers can identify and catalog such apps and through the data submit app store removal requests and recommend user alerts as a follow-up customer service gesture.
tjgkg
100%
0%
tjgkg,
User Rank: Ninja
5/4/2015 | 3:23:02 PM
TMI
If one takes the time to look at the permission request when an Android app is installed you would be appalled at what they look to access. There should be something like a "line item veto" that allows you to deselect which permissions to grant. Why should my CVS app have access to my pictures?
News
Think Like a Chief Innovation Officer and Get Work Done
Joao-Pierre S. Ruth, Senior Writer,  10/13/2020
Slideshows
10 Trends Accelerating Edge Computing
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/8/2020
News
Northwestern Mutual CIO: Riding Out the Pandemic
Jessica Davis, Senior Editor, Enterprise Apps,  10/7/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
[Special Report] Edge Computing: An IT Platform for the New Enterprise
Edge computing is poised to make a major splash within the next generation of corporate IT architectures. Here's what you need to know!
Slideshows
Flash Poll