Surprise, Surprise: Your Android Apps Are Being Used To Nab Personal Data

A new study from online security firm Bitdefender has revealed thousands of popular Androud apps are being used by unscrupulous advertisers to collect and upload user information to third party servers. Some apps were even found to access users' browsing history and photos.

App picture from Shutterstock

For its large scale study, Bitdefender analysed 130,000 popular free Android apps for signs of user privacy breaches. It found that nearly 13 percent of the apps collected and broadcasted users’ phone numbers without explicit notification

A similar number of apps were also found to access and distribute location data, while 7.72 per cent accessed and distributed personal email addresses. Around 6 per cent of analysed apps also accessed browsing history, while a handful even accessed personal photos.

"While some apps may legitimately require access to such data, others access it without the app explicitly needing it to perform adequately," Bitdefender said in a statement.

Texas Poker by KamaGames and Paradise Island by Game Insight International were specifically singled out in the report for uploading users' phone numbers to third parties without their permission. (Both apps have since been updated to meet proper user privacy guidelines.)

[UPDATE: BitDefender has since been contacted by several app developers about its findings and wanted us to provide the following statement: "In the interest of thoroughness of research, we have agreed to re-conduct the tests and expect to finish this new round by approximately May 28. We will communicate the results of the tests immediately after their conclusion."]

“The thin line between aggressive advertisers and malware is getting blurrier,” Bitdefender Chief Security Strategist Catalin Cosoi said in a statement.

“While malware may steal passwords and other credentials, aggressive advertisers may collect everything else. Although violating user privacy raises serious concerns, the risk of having collected data used for malicious purposes is greater than most people imagine.”

This shouldn't come as too much of a surprise really; it's one of the main caveats of an open source operating system. The moral of the story is to always check the T&Cs and privacy policies of every app you purchase and do some online homework before blindly downloading the latest free app.


Comments

    I'm not sure 'always check the T&Cs and privacy policies of every app you purchase' is a realistic solution. I've always been curious how long it would take an average consumer to fully read every EULA etc they 'agree' too (not including research time on legal terms they wouldn't initially understand), I'm betting it would be a figure that's unrealistic to keep up with if not impossible and that's assuming none of the developers lie which is blindly optimistic to begin with.

    While I'm sure there's lots of things people can do to protect their privacy we all know nothing is fool proof and security/privacy breaches are a fact of life nowadays. I just really don't think spending hundreds of hours of your life reading legal documentation is an efficient use of time.

    To me this article seems to be very bias, either by just lack of basic research or just pure fanboyism...

    A quick google search brings up articles such as this (http://readwrite.com/2013/02/28/android-apps-less-risky-to-privacy-than-ios-apps ) and many more proving that malware/adware like this isn't specific to android, its just as prevalent in iOS making the statements made in this article, such as "This shouldn’t come as too much of a surprise really; it’s one of the main caveats of an open source operating system" seem a little off.

      Nobody is saying this issue is specific to Android. However, the fact remains that it's significantly harder to get your app published on iOS due to Apple's strict approval process -- so the 'open source' statement does have some merit.

        Actually, the "open source" thing means this gets detected instead of iOS where you can't just skim logs or check permissions. It isn't the EULA users should be checking first, it's the permissions an app requests.

        "Open source" doesn't cause security problems, it helps secure them. The caveat is that you'll actually see reports on security problems instead of them just being exploited by aggressive advertisers/malware writers.

        1. Look up the definition of Open Source before using it. It has nothing whatsoever to do with market approval processes or curation.

        2. I'm afraid Brad is right, your article is heavily biased. To say nobody is saying the problem is specific to Android beggars belief. At best it is an error of omission. But realistically, given your editorial copy (not the marketing content you are regurgitating verbatim, uncritically from an anti-malware vendor, free of charge) does not mention any other platform, provides no balancing arguments nor caveats and expressly provides validation and authenticity with the 'open source' comment, to suggest that this wasn't precisely the point you were making is just disingenuous.

        3. More importantly, the article Brad refers to, and many others that were widely published around the same time, clearly indicates the data leakage (specifically relating to privacy) is actually at least as much of a problem on iOS. In fact in almost every measure the situation for the top 50 iOS apps was either worse or much worse than the equivalent top 50 Android apps. So in the context of an editorial (rather than free marketing copy) on this subject, iOS should clearly have been the focus. Yet it isn't even mentioned. Further, when challenged, you defend the position with the old chestnut of 'strict approval' and 'open source'. It's either ignorance or fanboyism, surely.

        4. Finally, the cautionary note I always try to comment with, when I have the remaining energy in the face of continuing and stoic ignorance and lazy journalism - please stop regurgitating such obvious marketing copy. Do a search. You will find one of these 'reports' from a 'researcher' (for they always use these terms, rather than 'press release from the sales dept of anti-malware vendor with vested interest', for obvious reasons) comes out approximately every 2 weeks. They seem to take it in turns. They all contain the same obfuscations (like aggregating data and omitting the fact that almost every instance of malware came from a third party market - Play has only had 2 known genuine instances of malware in the last 6 months - about the same as the App Store). You wouldn't fall for Snake Oil would you? You have research from an entity frightening us about a terror that they also happen to sell the 'cure' for! How would you react to 'research' from Shell or BP showing that climate change is false? Same thing.... Scepticism and critical thought are the basis of reason.

        As an aside, no, the best advice isn't to check the Ts&Cs, that again is either ignorance or a deliberate attempt to amplify the magnitude of this issue. As any Android user remotely interested in their privacy will tell you - an app literally cannot even access your address book nor access the internet to transmit the information gleaned from it, without first expressly requesting and receiving permission from the user for those two actions. So yes, the user is expressly notified this could happen, even if they take no notice. Which is much more than can be said for iOS - there is no requirement to notify and gain approval from the user before installation on iDevices, Apple determines how much private information the app can access without your input and never tells you that these are the permissions it has granted. Many would say that this, in conjunction with a significantly higher prevalence of apps with questionable privacy means that iOS is far more of a concern.

        Colin

          Now if only @lexter99 actually wrote the article it wouldn't have been the FUD piece it turned out to be.

          It has been demonstrated time and time again that closed (walled garden) systems, being operating systems for server, desktop or mobile system or applications are inherently LESS secure than their open source counterparts. This is especially true if the developers / maintainers of these closed systems are not keeping up with world of security. Peer review of code goes a VERY long way to alleviate this problem. I am in no way saying that one environment is better than the other, this isn't something that can be compared as easily as "apples with apples", both have their merits and also their flaws. Unfortunately marketing pieces like this, disguised as informed articles does nothing to help EITHER.

          This article could have been so much better if a little research was done, but I guess that's what you get when you have volunteers submitting articles and not get paid for it. It has to be the case, right, as there is no way that a publication will be paying anybody to write this drivel?

    Ok, so give me an app that will check whether my apps are on this list or not.

      Why? If you're really worried about it, every app you install tells you the permissions it requires and you have to OK it. If the app asks you for access to your address book, then think about whether it actually needs that to do it's job before you hit OK. If it doesn't ask for that then it can't access your contacts. Either way, stick to Google Play and you will be safe from the vast majority of these issues, and statistically at least as safe as on Apple's App Store

    I would love to see the original of that report, as it is close to impossible to find it on BitDefenders' official website. When was it conducted? Could you add the link to the original report, please?

Join the discussion!