Many Android Apps Are Leaking Private Information, Researcher Says

If you think that malware and other security vulnerabilities haven't hit the Android smartphone platform yet, then think again.

Click here for more of Dark Reading's Black Hat articles.

That's the message of a forthcoming talk that will be given on mobile malware threats by Dasient CTO Neil Daswani at the Black Hat conference in Las Vegas next month.

Daswani will reveal the full results of a study conducted by anti-malware service provider Dasient, which has analyzed some 10,000 applications on the Android platform to determine their rates of infection and vulnerability to security attacks.

The study offers some sobering results on the rapid growth of malware on mobile devices, particularly the Android. The number of malware samples on mobile devices has doubled in the past two years, Daswani says.

In the study, Dasient analyzed the live behavior of Android apps to determine their security posture. Of the 10,000 applications evaluated, more than 800 were found to be leaking personal data, Daswani says.

In addition, the researchers found that 11 of the applications were sending potentially unwanted SMS messages out to smartphones -- the mobile version of spam, Daswani says.

"Some of these applications, once started, were sending premium SMS messages," Daswani says. "The user ends up paying for those messages, and they can be pretty expensive. It's sort of like the old 900 number scams, where if you called once, your phone would continue to incur the charges over and over again."

These scams are likely to continue until mobile network service providers and device makers work out conventions on how to handle marketing and sales messages on SMS, Daswani predicts.

The study also reveals the results of a forensic analysis of Android apps, which already have been infected earlier this year with the Droid Dream malware and again last month with Droid Dream Lite. In the study, Dasient found many other instances of malware that attempts to take over control of the device at the root level, and even seeks to spread to other devices in a worm-like fashion.

"Once you have root-level control, you pretty much own the phone," Daswani says. "This is a problem that carriers and device makers will have to take action on very soon."

In its research, Dasient also proved that mobile malware can be delivered via drive-by downloads from legitimate applications, much as malicious actors deliver drive-by malware to users through legitimate sites. Drive-by downloads have rapidly become the delivery method of choice among malware authors in the wired device world, according to Dasient research.

"This [study of drive-by downloads on mobile devices] has some interesting implications, because it means that mobile malware can be delivered through legitimate and popular applications," Daswani says.

The drive-by downloads that Dasient has seen so far have generally been noisy, often crashing the browser interface in order to steal data from the device, Daswani notes. In the future, mobile malware authors will discover methods to deploy the malware without crashing the device, effectively hiding the infection and enabling attackers to steal data for a longer period of time without being detected, he predicts.

Drive-by downloads will likely be buried in the most popular applications, such as those listed at the top of the Android Marketplace numbers, Daswani suggests. A mobile attack earlier this year promised a cheat to the popular and frustrating game Angry Birds, which is one of the most frequently-downloaded applications on the Droid.

Daswani says Dasient will be releasing more details on the study following the Black Hat talk.

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.