Mobile

The Rampant, Risky Babbling of Android Apps

Eurecom researchers recently developed an Android app that can monitor the network traffic of other apps to alert users of suspicious or malicious activity. With more than 1.2 million applications in the Google Play store, there are multiple programs for performing a particular task. That can make choosing an app a chore for users, they noted in a report released last month.

Eurecom researchers recently developed an Android application that can monitor the network traffic of other apps to alert users of suspicious or malicious network activity.

With more than 1.2 million applications in the Google Play store, there are multiple programs for performing a particular task. That can make choosing an app a chore for users, noted Luigi Vigneri, Jaideep Chandrashekar, Ioannis Pefkianakis and Olivier Heen in a report released last month.

“Moreover, some of the applications being of dubious origin, there are no mechanisms for users to understand who the applications are talking to, and to what extent,” the paper says.

Characterizing the network behavior of an app gives users an idea of how the app will behave after it’s installed on an Android device, which is valuable for deciding if they want the app to be installed at all, the researchers explained.

“Given our focus on network behavior, we are interested in identifying the kinds of destinations connected to, whether the application connects to a large number of ad sites, how often it talks to online tracking sites, and whether it communicates with sites that have been deemed suspicious,” they wrote.

Rooting Required

After analyzing a large sample of free applications from Google Play, the boffins reached the conclusion that there was a lack of effective tools and mechanisms to audit installed applications and give users greater visibility into application behavior.

To that end, they created an app called “NSA,” for “NoSuchApp,” which identifies particular types of app connection destinations. The software initially was made available only to reviewers, but the researchers said it would be available on Google Play in the future.

That could be problematic, however, because to do what NSA is described as doing requires an Android phone to be “rooted,” which allows a user to gain access to parts of the operating system that they’d ordinarily not have access to.

“A lot of things can go bad in the rooting process,” said Bogdan Botezatu, senior e-threat analyst with Bitdefender.

“If you’re not technical, you could end up with a bricked phone, or allow malware to run with root privileges, which is even worse,” he told LinuxInsider. “Companies usually do not like people to root their phones.”

Cloud to the Rescue

Bitdefender makes an app for both Android and iOS that is designed to address the problems identified by the Eurecom researchers, but without rooting a device, Botezatu added.

“We have a huge database of applications, so we know how everything in the Play Store behaves. We know how it behaves, because we’ve looked at it previously with own emulators,” he explained.

“Our app mixes and matches the apps that are on the user’s phone with our threat intelligence libraries that are in the cloud,” said Botezatu. “That way, we don’t have to ask the user to root their phone.”

The big takeaway from the Eurecom paper is the risk the team identified in the app ecosystem, maintained Irfan Asrar, a senior research scientist at Appthority.

“The application itself is probably for researchers only who can use that app in a controlled environment,” he told LinuxInsider.

“For the average consumer to root a phone and carry out the activities required could create a larger attack surface than the one created by the problem they’re trying to solve,” Asrar added.

Few Secure Connections

The researchers found a wide spectrum of URLs accessed by the apps they studied — anywhere from a few dozen to nearly 2,000 by one music app.

The sheer number of URLs accessed by Android apps was “stunning,” said Tod Beardsley, security engineering manager at Rapid 7. Worse yet was how few apps used SSL, the protocol to protect data in motion on the Web and secure the URLs they were constantly polling.

“This is an invitation for malicious networks to inject their own content, replacing the advertiser content,” Beardsley told LinuxInsider.

“So, not only are these apps reaching out to hundreds or thousands of unknown websites without the user’s knowledge, but they are doing so in an insecure way that exposes the phone — and the user — to personal risk of malware infection,” he said. “This is a pretty steep price to pay for a ‘free’ app.”

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by John P. Mello Jr.
More in Mobile

LinuxInsider Channels