The New Spyware Threat

Back to July 2013 ITS Newsletter

By Ryan Coyle

If you’re like many smartphone users, you’ve scrolled your way through the App Store, or Google Play and found a variety of cool programs, many of which are free.  Or more like “free.”  Developers who write software in almost all cases are looking for some way to cash in on the time and effort that they put into creating the software.  It’s not always the case and some apps are written out of the kindness of people's hearts or are charitable in some fashion.  For the most part, however, there’s a mechanism built into free software that allows developers the opportunity to recoup money. 

Is there truth in advertising?

Freemium and ad-supported services are two of the many services that developers will incorporate into their programs to recoup their costs and generate revenue through apps that are essentially free to play and use.  Many of us are familiar with these types of services.  What you may not be familiar with is a more insidious type of money making scheme that some developers are incorporating into their programs.  These types of services sign you up for premium SMS texting services or take your device information: your device ID, location, contacts and upload them to separate servers, mainly to be sold to advertisers.

It is in many ways a rebirth of the spyware and adware of the late 90s and early 2000s.  Only the platform has changed.  No longer are advertisers offering you free smileys and emoticons for your emails, but full featured games and programs.  In return, these programs collect your data and sell it to advertisers.

In a study done by BitDefender of more than 500,000 apps, it was found that applications found on iOS and Android are equally offensive.  Of those apps studied, 45% of iOS apps contained location-tracking capability, compared to 35% for Android.  Additionally, only 7.69% of Android apps had access to the contacts on their devices, while it was as high as 18.92% for iOS.  The good news is that Apple has stopped the gap which allowed device IDs, emails and phone numbers to be sent out, but that behavior can still be found in almost 1 in 6 Android apps.  This is because Apple routinely rejects apps which contain this behavior and they aren’t published in the App Store.  While Google Play has policies in place regarding ad behavior in its marketplace, they are not as stringent as what Apple does.

How do you protect yourself from malicious or snoopy apps?  

Here are some tips:

  • Always pay attention to what apps ask for permission to use.  Use your best judgment when it comes to granting privileges.  Just because an app asks for permission to use something like location or contacts, doesn’t mean that it needs it.  If your weather program asks for access to your location, that seems like a logical use of that data.  If your flashlight app wants access to your contacts, something might be a little fishy.
  • Always review your bill for sketchy charges.  One of the ways that malicious apps slowly milk their customers is by signing them up for “premium” SMS services that charge per text.  If you see texts to strange companies or websites that you know you didn’t send, contact your carrier to dispute the charges.  Texts to your mom... OK.  SMS charges to turkishinflatables.com might be a bit shady.
  • Look for strange behaviors on your device after installing new software.  If you start to see banners or badges for things that you don’t recognize or don’t look right, don’t blow it off.  People have a tendency to be much “free-er” with how they behave with their mobile devices as opposed to their computers.  The same types of behaviors that would trigger a warning flag on your computer should also trigger one on your mobile phone.
  • Find out what your apps know about you.  There is an app called Clueful which will tell you what your apps know and how they use your private data.  Clueful is an app available through the Google Play store: http://bit.ly/18f9WZN.  For iOS, you need to navigate to http://www.cluefulapp.com/ and manually enter in apps that you want to know about.

With all this said, it’s important to note that not all free software is bad.  Most apps have payment mechanisms built into them which aren’t sketchy or shady in any way.  Unfortunately a few bad apples can make the whole barrel seem bad.  One last bit of wisdom to partake regarding free apps (and in many cases free things in general) is that: “If you’re not paying for the product, you are the product.”

Back to Top