Update: Android gaming app hides Trojan, security vendors warn
Tap Snake could be used by attackers to monitor movements of an Android system via GPS tracking; Google downplays risk
Tap Snake, an version of a 1970s-era video game called "snake," is available from the Android Market online store.
Though the application appears to users as the original version of the game, it can also be secretly used as a client for a $4.99 commercial spying application called GPS Spy, both companies warned in separate advisories this week.
Once installed, a third party who gains access to the Android device can program the game to secretly report its location at any time to another system running GPS Spy. The Tap Snake software is designed to continually run in background on an Android-based system.
"GPS Spy downloads the [Tap Snake] data and uses this service to conveniently display it as location points in Google Maps," Symantec said in its advisory. "This can give a pretty startling run-down of where someone carrying the phone has been."
The GPS data includes the date and time of a user's location at the time the data was sent.
A potential attacker would need physical access to an Android device in order to enable the game application's spying capabilities, noted Sean Sullivan, a security researcher with F-Secure.
To enable tracking by GPS Spy, an attacker would need to install the game on a device, and then register the game by entering an e-mail address and a specific 'key,' he said. This same registration information must later be typed into the phone running GPS Spy in order to enable tracking.
Though there are similar spy tools for Android, iPhone and other mobile devices, "what's unique about Tap Snake is that it doesn't declare what it is when you register the game," Sullivan said, "You put in the e-mail, you put in the keycode it starts to do the spy work," without any notice, he said.
"There are plenty of applications available that do the same thing and disclose this information up front, and do not claim to be something else--the primary reason we consider this a Trojan," Symantec noted.
Though the Trojan allows for pretty intrusive tracking, the risk to users is somewhat mitigated because the program requires the attacker to have physical access to an Android. Even so, users would do well to password protect their phones, Sullivan said. "If your phone is locked, nobody has access to it.
A Google spokesman downplayed the warnings, saying the concerns relating to the applications were being overstated. "When installing an application, users see a screen that explains clearly what information and system resources the application has permission to access, such as a phone's GPS location," the spokesman said in an e-mailed statement.
"Users must explicitly approve this access in order to continue with the installation, and they may uninstall applications at any time. They can also view ratings and reviews to help decide which applications they choose to install. We consistently advise users to only install apps they trust," the spokesman said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com.
Read more about Security in Computerworld's Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Firewall Buyers Guide Operate as the core of your network security infrastructure
- Getting Started With a Zero Trust Approach to Network Security The Traditional Approach to Network Security is Failing. View Now>>
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts