When we download smartphone apps, most of us don’t notice the hidden dangers lurking behind the amusing icons and ingenious programs that exist to entertain us or to make communication easier. “With every app you install, a small black box that hides many different functions is downloaded. It’s a feature which most users hardly understand or even realise is there,” says security expert Thorsten Holz. Unfortunately, the ability to read private text messages and to access photos is only the tip of the iceberg…
DOES EVERY SMARTPHONE HAVE ITS OWN PASSPORT? “In the past, apps only demanded the rights that they needed to operate. Today the collection of data has become almost a hunting instinct,” says Christian Funk, senior analyst at IT security company Kaspersky. For example, apps which repurpose the phone’s fl ash into a torch only need access to the camera, but these apps also demand to know where their users are. “They often use geolocation software to determine the whereabouts of a person via GPS,” Funk continues. Some apps also access the memory card of the phone, where contacts and photos are saved. Others can even write on the memory card, something that messenger apps genuinely need to do. “They need it to transfer sent photos or language fi les onto the phone. But it’s not clear why a fl ashlight would need this,” says Funk. The problem? If you don’t grant the requested permission, you won’t be allowed to install the software. “Users are conditioned to give the nod to just about everything,” he adds. Experts say that an app’s terms and conditions do not always reveal the full extent of the app’s data tracking. Though Google and Apple require app operators to inform all Android or iPhone users about data collection, this is not applicable to the phone’s individual identifi cation number, known as the device ID. Like a passport number, the device ID cannot be changed and can be used for identifi cation purposes worldwide. An investigation by the Wall Street Journal showed that 56 of the 101 apps the paper analysed pass on the device ID to third parties – without the user’s knowledge. This includes hugely popular apps like the game Angry Birds. But what do app developers gain from collecting our data? The trade in data is a billion-dollar industry: collection is the key to higher advertising revenues. Knowing as much information as possible about its users allows a company to better defi ne its target group and make itself more attractive to advertisers, thus generating more income. Mobile phone advertisement sales were worth about $9 billion in 2013. In 2014 experts expect sales to pass the $14 billion mark. Some of the biggest recipients are the advertising networks which collect user data and use it to create individual profi les. The profi les are then used to connect the apps with the appropriate advertisers. “What’s great about the ID number is that, unlike ordinary internet cookies, it can’t be deleted. That allows us to track everything,” says Meghan O’Holleran from the advertising network Traffi c Marketplace. The network monitors which apps are downloaded by a user, the frequency and duration with which they are used and how intensively they engage with the program. An additional goldmine for advertising networks is the geolocation of smartphones. Some apps do not even need the GPS function for this. With so-called coarse tracking, apps use Wi-Fi signals or the signals from mobile phone masts to locate us. A person can be localised to between 50 and a few hundred metres with this method. But how much does my location reveal about me?
WHAT TRICKS DO APPS USE TO LOCATE THEIR USERS WITHOUT USING GPS? According to the US advertising network Mobclix, quite a few. Using geolocation, an app is even able to confi rm where someone lives. Mobclix then compares the data with demographic and fi nancial projections from another company. In under a second, Mobclix sorts the user into one of 150 categories, in a list that ranges from environmental activists to gamers. Many advertising networks even offer app operators specially designed software kits which result in more sales. As a report from anti-virus software fi rm BitDefender confi rmed: “Even the most innocuous-seeming apps, especially free ones, make money by taking advantage of your personal information to send you targeted advertising.” The collected data includes age, sex, income and sexual orientation. And once installed, the app does not even need to be activated to fulfi l its mission… “In the mobile universe, there’s no such thing as anonymity. We always have our mobiles with us and they are always turned on,” says Michael Becker from the Mobile Marketing Association in the USA. This can potentially become dangerous when apps forward unencrypted personal data including user names and passwords. Smartphone owners using the same password for different services, like email or online banking, are leaving the door wide open for criminals to steal from them. Unencrypted transfer of data is about as safe as writing it on a postcard. Cyber criminals are able to seize them without much effort. An app worth less than a dollar can suddenly cost the user many thousands. It happens more frequently than you would expect.
FLEXISPY
WHAT SECRET DOORS ARE THERE? • This spy trojan app allows the main user (the spy) to monitor the mobile of another person • The app places emails, text messages and call lists onto a server that the spy can access freely • When the spy rings their target, the target’s handsfree mode is automatically activated so that the spy can listen in to other noises in the room • The user’s approximate geolocation is disclosed • Info: the spy needs to install the app onto the target’s mobile phone
DENDROID
WHAT SECRET DOORS ARE THERE? • This app is a cyber criminal’s dream because it equips them with an infrastructure that enables them to control infected Android devices • Bugging functions: the app can intercept and send text messages, add photos and videos and tap into the user’s browsing history as well as the log-in details for email accounts and social networks
CÁMARA VISIÓN NOCTURNA
WHAT SECRET DOORS ARE THERE? Until recently, this night-vision camera app was still available in Google Play and can still be found in third party stores. It accesses contacts from other apps like WhatsApp and registers these with a premium messaging service, banking almost two pounds for every registered contact number. It also sends expensive texts.
KUWAIT FLAG
WHAT SECRET DOORS ARE THERE? The lock screen app contains malware which spies on users. It is only available in third party stores.
WHAT SECRET DOORS ARE THERE? There are fake versions of this popular racing game available in the Google Play store. Speed Car II is actually free of charge. The counterfeiters sell their version cheaply. The app only requests payment after the installation. Users then receive a payment warning every ten minutes.
WHAT SECRET DOORS ARE THERE? • Numerous fake versions of the popular game Angry Birds are circulating. They convert the game into a spy app that reads the user’s emails • The app contains a trojan. This hacks into the system to send premium rate text messages
CLOCK
WHAT SECRET DOORS ARE THERE? The app disguises itself as a harmless clock.According to IT security company F-Secure, the app installs shortcuts with names like ‘System Update’ onto the phone. When they are clicked on, the malware is automatically activated. The consequence? User data like location, images, sound recordings, text messages, contacts and call lists are stolen. The app, which is only available in third party stores, can also recognise and remove anti-virus programs, making it particularly dangerous.
FAKE FLASH PLAYER
The app disguises itself as Abode Flash Player in third party stores on the internet. In a tactic popular with cyber criminals, the fake version mimics a system update. Once installed, it collects user data and sends premium rate text messages.
FAKE FLAPPY BIRD
This fake version of the game Flappy Bird acts as a spy app and reads the user’s emails • The app accesses the contacts and sends premium rate text messages • Many fake versions of Flappy Bird have appeared recently
THE DATA COLLECTORS
ANGRY BIRDS
FUNCTION: In this popular game, users destroy pigs to secure the survival of the Angry Birds WHAT SECRET DOORS ARE THERE? • The app stores the sequence of each game and sends all information to the advertising network Flurry • It has access to the location, the contacts and the device ID as well as the username of the user. It also shares this data with third parties
FUNCTION: • Worldwide chat function • The app can send photos and voice messages to other WhatsApp users WHAT SECRET DOORS ARE THERE? • According to computer experts, it transmits the name of the mobile provider and all saved telephone numbers un-anonymised onto their own server, without being given permission, because this information is used for contact details • Chat messages are unencrypted and the operator can read everything • WhatsApp is currently working on improving the encryption on the mobile phone
WAZE
FUNCTION: • Mapping, traffi c and navigation app WHAT SECRET DOORS ARE THERE? • It geolocates the user. However, without it, the app would be useless because it compiles traffi c reports based on user data and input • Waze forces users to provide their real name, contact information and location and shares this with advertisers
BRIGHTEST FACEBOOK FLASHLIGHT
FUNCTION: Flashlight function for phones WHAT SECRET DOORS ARE THERE? Until recently the app had saved and forwarded the device ID and location of the user to advertising networks without asking. Following a US ruling, the app is now required to seek the permission of the user before passing on confi dential data.
YELP
FUNCTION: • Provides recommendations of businesses, restaurants, bars and cafes nearby • See other users’ location reviews • Users share recommendations in social networksWHAT SECRET DOORS ARE THERE? • Has access to contacts, localises the user via mobile phone towers and the GPS function. This enables locationbased information to be gathered • Saves location, device ID, username and password on its own server • Sends the device ID to the advertising network Flurry • For the “Find Friends” function, the app transfers all user data unencrypted • Operates data exchange with servers in other fi rms
ICONTROL
FUNCTION: Mobile online banking – account summary, payments and transfersWHAT SECRET DOORS ARE THERE? • The app uses the service Google Charts for its graphics. It sends the unencrypted account sales of its users through the internet and to Google • In tests the app has frequently crashed and regularly exhibits security breaches – for example, partly unencrypted fi les were accessible before the password had been entered
FUNCTION: Smartphone users can use the app to view their Facebook account, post comments, upload pictures and send messages WHAT SECRET DOORS ARE THERE?• Facebook transfers parts of the address book, encrypted but not anonymised. Note: this is part of the site’s functionality. Status messages can only be transferred to another user when this happens anonymously • All information is permanently stored on Facebook’s servers
WEATHER LIVE
FUNCTION: • Global weather forecasts for various locations, live weather images, local time • 7-day weather report with the day’s highs and lows • Information about humidity and precipitationWHAT SECRET DOORS ARE THERE? • Sends statistics and device IDs to Flurry • The app communicates with the servers of a third party company
MY FITNESS PALFUNCTION: • Calorie counter with access to more than three million foodstuffs • Barcode scanner, recipe calculator • User-defi ned weight-loss goals • Daily food overview • Graph charting the progress of the diet
WHAT SECRET DOORS ARE THERE? • Saves age, gender, location , username and password on its own server for evaluation purposes • Sends location and device ID to the advertising network Flurry • Flurry uses the user data to compile statistics and user profi les • Has access to contacts
HOW MANY SMARTPHONE APPS ARE CONTAMINATED?
A recent study found that one in 10 smartphone users have been hacked. So how are attacks on smartphones carried out? “Cybercriminals often develop a malicious code which they package into legitimately downloaded apps. They then offer the infi ltrated apps for download again,” Funk explains. In total, around 230,000 malicious codes are known to experts. A single one can infi ltrate thousands of apps without a problem. Kaspersky estimates that around ten million apps are currently contaminated, the majority of which are available via third party stores on the internet. However, the IT security company RiskIQ reports that Google Play – the Android app store – often distributes malicious apps without noticing. One example of this is night-vision camera app Cámara Visión Nocturna. It taps contact details and registers the numbers with a premium messaging service, collecting around $4 per registration. The numbers are saved to an external server so they can be abused in the future. Although the app has been removed from the Google Play store, it is still available in third party stores. RiskIQ emphasises that this example is just one among many: “Of a million apps, a few hundred thousand have either violated the terms of use or pursued malicious intentions with users’ data,” says Elias Manousos, the CEO of RiskIQ. In 2013, 42,000 infected apps were offered on the Google Play Store Apps most affected are personalisation and entertainment programs, like background image app Wallpaper Dragon Ball or the game Finger Hockey. However, Thorsten Holz is keen to stress that the Google Play store presents a minimal risk. “Anyone downloading their apps from offi cial stores is relatively safe. Google use a wide variety of measures to detect malware. As soon as an app is recognised as malicious, it is automatically removed from sale. It's important to remember that security companies have a vested interest in extreme fi gures. They earn money from users downloading their software out of fear of cyberattacks,” says Holz. Still, 98% of malicious software is programmed for Android. The Apple Store is a fortress: only certifi ed developers have the opportunity to gain insight into the iOS operating system – and only someone who knows the system is able to develop malicious codes against it. For this reason, according to Kaspersky, it is rare for infected apps to infi ltrate the Apple Store. While this is welcome, most users don’t see any benefi t because an estimated 80% of smartphone users worldwide own Android devices. What does this mean for them? Are they helpless against malicious apps? Below, experts list the best apps to protect your smartphone from cyber criminals…
Post a Comment
0 Comments