This is the second in a series of blog posts describing the mobile threat landscape in Japan. The first one may be found here.
Smartphone users in Japan are able to download a wide variety of apps, many of which are either inexpensive or free. Not all of these actually meet what users expect in terms of features, and some even introduce risks that users may not fully understand. In this blog entry, I will report the privacy risks caused by certain apps that we have looked into.
The Ad Delivery Cycle for “Free” Apps
As mentioned in the first entry, we define those apps that demonstrate the following routines without user consent as high-risk apps (referred as “ego apps” in Japan):
- Displaying pop-up ads
- Getting the user’s private information
One reason these apps are significantly increasing lately is the way that ads are sold in Japan.
As you can see in this graph, these ad agents/networks provide software development kits (SDKs) for app developers. By inserting the SDK-provided code into their apps, app developers can have ads appear inside their apps. They would then earn money from how many ads are viewed and/or clicked. This revenue allows the developer to charge little or no money for his app.
However, users put their personal information at risk when they download these apps. Users may be able to afford many free or cheap apps, but they may fall victim to ad networks that may not show a EULA or even get their private information without consent. If these privacy-violating apps increase in number, users would be at increased risk of information theft.
How to make the Ads Safer
One benefit of ads in mobile apps is that it allows independent app developers to earn money. In addition, it also allows what would normally be expensive apps to be sold with a low (or no) price at all. Imposing a blanket ban of advertising and acquiring user information may be harmful to the mobile sector as a whole.
So how can we make ad-supported apps safer for everyone? First, users should know that it is a good idea to check if the app they are downloading is reputable. To do this, users can check the comments of the app they want to download, as well as other apps offered by the developer.
|The Developer ‘s Name||Indicate the full name of the app developer and contact address.|
|User Information Type||Enumerate all types and contents of the user information extracted.|
|Method||Indicate how to extract the information — if it is through user’s own input or if it is automatically acquired.|
|Purpose||Indicate if it is used for further services to users or for other purposes. If it is used for the ad-delivery or marketing purposes, indicate this.|
|The Third-Party Providers, External Senders, and Info-gathering Modules||Indicate if it contains such items as the third-party providers, external senders, and info-gathering modules.|
|Contact Details||Indicate the contact details such as phone numbers, email addresses, etc.|
To evaluate the risk to user privacy, we looked at the 200 most popular free apps (both general apps and gaming apps) in the Google Play app store in Japan as of August 31, 2012.
Using the top 200 of the most popular apps (respectively both general apps and game apps) out of all free apps in Google Play Japan according to Google’s announcement as of August 31, 2012, Trend Micro evaluated the risk of privacy violation on these sample apps. The details of the sampled data are indicated in both table 2 and 3.
|Location||Google Play – Japan|
|# of APK Files||400|
|Targeted Categories||Google Play－Applications, FreeGoogle Play – Games, Free|
|Date Covered||August 31, 2012|
|Sampling Criteria||Top 200 of the most popular apps (respectively both general apps and game apps) out of all free apps in Google Play Japan according to Google’s announcement as of August 31, 2012|
Table 2: The Details of the Examined Apps
We used Trend Micro Mobile App Reputation (MAR) to examine these apps, looking at three areas in particular:
- unwanted routines
- information leakage (focusing on privacy violations)
- high memory usage
Based on our analysis, we grouped the apps into four categories, from highest to lowest risk, namely: “Malicious”, “High Risk”, “Low Risk”, and “Safe”.
As you can see above, 0.5% (one app) of all general apps and 1% (two apps) of all game apps are considered “malicious”. 5% of all general apps and 3% of all game apps are considered as “high risk”. More “high risk” apps are present among general apps than gaming apps.
Apps considered as “Malicious” have unwanted routines like delivering malicious ads. App developers should be careful about which ad network they use, as if their apps is found to contain malicious apps, their reputation may be damaged. The same is true if their app leaks personal information.
The above chart shows the types of personal information that is acquired by the studied apps. This information was also used in rating the risk level of apps.
Trend Micro Mobile Security (known as Virus Buster Mobile for Android in Japan) has a function known as “Privacy Scan”. With this, users can easily check the privacy risks of their installed apps. It can also scan apps as they are being installed; users can also check the already-installed-apps manually to check their privacy risks.)