Some of the apps discussed in this blog entry were developed with an older adware SDK that did not contain opt-in provisions, particularly regarding the ability to collect information and display ads outside of the original app. The adware SDK has since been updated to this capability to comply with Google’s developer policies; apps that use this newer version are no longer considered high-risk.
More details about this change can be found in our December 2012 Monthly Mobile Review: The Hidden Risk Behind Mobile Ad Networks.
We uncovered four Android mobile apps on Google Play and certain third-party app stores, which when installed, gain access to specific device information that can be used without users’ consent and may lead to data leakage. One of these apps was already removed from Google Play but remain available on third-party ones. These apps are crafted to take advantage of the upcoming 2012 US Presidential Election and its two candidates, Mitt Romney and Barack Obama. Users can download these apps for free.
The first app called “Obama vs Romney”, an ANDROIDOS_AIRPUSH variant found to connect to airpush.com, a mobile ad network site. The app’s description page also indicates that it may contain ad notifications. We found that this app has more than 300 downloads from third party stores and an estimated 500-1000 downloads from Google Play so far.
This app was designed as a polling service in which users can choose between the two candidates. It is supposed to display an overall result of the poll immediately. However, during our testing, it ends up showing the message “you probably want to start clicking as soon as possible”. This particular app also displays potentially annoying ads served from airpush.com that are displayed outside of the app itself.
It also contains ACCESS_COARSE_LOCATION among others, that can access information that includes the device’s GPS location.
Second is the “Captain America Barack Obama 1.0” (detected as a ANDROIDOS_ADWLEADBOLT variant) that installs a Barack Obama 3D wallpaper and US flag on the affected device. This was already removed from Google Play but remain available on third party app stores. Similar to the “Obama vs. Romney” app, it comes with the ACCESS_COARSE_LOCATION, ACCESS_COARSE_LOCATION and other permissions that gain access to device information like GPS location, CellID, and Wi-fi location. Upon installation , it also creates a shortcut in the homescreen page of the device. So far, this app has been downloaded 720 times from third party app stores.
The other two apps are “Barack Obama Campaign LWP 1” and “Mitt Romney Live Wallpaper 1” (both detected as ANDROIDOS_ADWLEADBOLT variants). Both of these apps also contain ACCESS_FINE_LOCATION and ACCESS_COARSE_LOCATION.
Similar to the above mentioned apps, they display ads on the device. Users can prevent this ad display by clicking a specific URL and disclose certain information such as their International Mobile Equipment Identity (IMEI) and device type to the said site. However, it is likely that users will not notice this and opt to receive the ads.
For a more informed choice, users should read app reviews and developer’s reputation. Typically, apps require access to specific mobile information in order to work. However, users must make it a habit check the access that the apps require, specially if it asks for too much. It is not uncommon for cybercriminals to create apps that request access for information, which they can later use for their malicious activities.
Trend Micro customers need not worry as their devices are protected from these apps. In particular, Trend Micro Mobile Security for Android also detects these malicious apps and prevents their installation on mobile devices.
To know more about how to protect your devices, you may read the following Digital Life e-Guides specific to Android users.
With additional inputs from Bob Pan