Update: Android gaming app hides Trojan, security vendors warn
Tap Snake could be used by attackers to monitor movements of an Android system via GPS tracking; Google downplays risk
Tap Snake, an version of a 1970s-era video game called "snake," is available from the Android Market online store.
Though the application appears to users as the original version of the game, it can also be secretly used as a client for a $4.99 commercial spying application called GPS Spy, both companies warned in separate advisories this week.
Once installed, a third party who gains access to the Android device can program the game to secretly report its location at any time to another system running GPS Spy. The Tap Snake software is designed to continually run in background on an Android-based system.
"GPS Spy downloads the [Tap Snake] data and uses this service to conveniently display it as location points in Google Maps," Symantec said in its advisory. "This can give a pretty startling run-down of where someone carrying the phone has been."
The GPS data includes the date and time of a user's location at the time the data was sent.
A potential attacker would need physical access to an Android device in order to enable the game application's spying capabilities, noted Sean Sullivan, a security researcher with F-Secure.
To enable tracking by GPS Spy, an attacker would need to install the game on a device, and then register the game by entering an e-mail address and a specific 'key,' he said. This same registration information must later be typed into the phone running GPS Spy in order to enable tracking.
Though there are similar spy tools for Android, iPhone and other mobile devices, "what's unique about Tap Snake is that it doesn't declare what it is when you register the game," Sullivan said, "You put in the e-mail, you put in the keycode it starts to do the spy work," without any notice, he said.
"There are plenty of applications available that do the same thing and disclose this information up front, and do not claim to be something else--the primary reason we consider this a Trojan," Symantec noted.
Though the Trojan allows for pretty intrusive tracking, the risk to users is somewhat mitigated because the program requires the attacker to have physical access to an Android. Even so, users would do well to password protect their phones, Sullivan said. "If your phone is locked, nobody has access to it.
A Google spokesman downplayed the warnings, saying the concerns relating to the applications were being overstated. "When installing an application, users see a screen that explains clearly what information and system resources the application has permission to access, such as a phone's GPS location," the spokesman said in an e-mailed statement.
"Users must explicitly approve this access in order to continue with the installation, and they may uninstall applications at any time. They can also view ratings and reviews to help decide which applications they choose to install. We consistently advise users to only install apps they trust," the spokesman said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com.
Read more about Security in Computerworld's Security Topic Center.
- Top 10 Reasons to Strengthen Information Security with Desktop Virtualization Regain control and reduce risk without sacrificing business productivity and growth
- Preventing Sophisticated Attacks: Anti-Evasion & Advanced Evasion Techniques McAfee Next Generation Firewall applies sophisticated analysis techniques specifically to detect advanced evasion techniques (AET).
- The Security Industry's Dirty Little Secret The debate over advanced evasion techniques (AETs) This report summarizes the findings of a McAfee commissioned research group to determine the level of understanding IT security professionals have about AETs...
- Demand More, Get the Most from the Move to a Next-Generation Firewall Beyond the basics in a next generation firewall, to protect your investment you should demand other valuable features: intrusion prevention, contextual rules, advanced...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!