Update: Android gaming app hides Trojan, security vendors warn
Tap Snake could be used by attackers to monitor movements of an Android system via GPS tracking; Google downplays risk
Tap Snake, an version of a 1970s-era video game called "snake," is available from the Android Market online store.
Though the application appears to users as the original version of the game, it can also be secretly used as a client for a $4.99 commercial spying application called GPS Spy, both companies warned in separate advisories this week.
Once installed, a third party who gains access to the Android device can program the game to secretly report its location at any time to another system running GPS Spy. The Tap Snake software is designed to continually run in background on an Android-based system.
"GPS Spy downloads the [Tap Snake] data and uses this service to conveniently display it as location points in Google Maps," Symantec said in its advisory. "This can give a pretty startling run-down of where someone carrying the phone has been."
The GPS data includes the date and time of a user's location at the time the data was sent.
A potential attacker would need physical access to an Android device in order to enable the game application's spying capabilities, noted Sean Sullivan, a security researcher with F-Secure.
To enable tracking by GPS Spy, an attacker would need to install the game on a device, and then register the game by entering an e-mail address and a specific 'key,' he said. This same registration information must later be typed into the phone running GPS Spy in order to enable tracking.
Though there are similar spy tools for Android, iPhone and other mobile devices, "what's unique about Tap Snake is that it doesn't declare what it is when you register the game," Sullivan said, "You put in the e-mail, you put in the keycode it starts to do the spy work," without any notice, he said.
"There are plenty of applications available that do the same thing and disclose this information up front, and do not claim to be something else--the primary reason we consider this a Trojan," Symantec noted.
Though the Trojan allows for pretty intrusive tracking, the risk to users is somewhat mitigated because the program requires the attacker to have physical access to an Android. Even so, users would do well to password protect their phones, Sullivan said. "If your phone is locked, nobody has access to it.
A Google spokesman downplayed the warnings, saying the concerns relating to the applications were being overstated. "When installing an application, users see a screen that explains clearly what information and system resources the application has permission to access, such as a phone's GPS location," the spokesman said in an e-mailed statement.
"Users must explicitly approve this access in order to continue with the installation, and they may uninstall applications at any time. They can also view ratings and reviews to help decide which applications they choose to install. We consistently advise users to only install apps they trust," the spokesman said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com.
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts