An app disappears from the Android market, because it is considered malware. Then, it is back. The phishy functionality remained. The main difference is a EULA. We don't think that telling the user is enough to change the rating.
Malware is widely considered as software whose purpose it is to, for example, harm the device or steal information, which could result in identity theft or fraud with financial penalties without the user's consent. But it is not always easy to tell the good from the bad. The number of apps that defame the user or make fun of him also take a growing part in the mobile threats sector. The difficulty to draw a clear line, whether something is called malware or not, is especially given, if the simple mentioning of assumedly malicious behavior in the apps license agreement or EULA seems to verify its right to be published and stay in the Google Market. Let’s have a look at a current case:
Round 1: SndApps.A
The malware in question, Android.Trojan.SndApps.A, was firstly discovered on the 4 July by Xuxian Jiang, then Assistant Professor at NCSU. It targets Android mobile devices and was available on the official Android Market. Once installed by the user, the malware adds certain services to be allowed to start some of the assumedly malicious services at boot. The user does not have any influence on those services.
The applications themselves are very simple. The airhorn application just displays a picture of an airhorn, which, when touched, plays the corresponding sound. The other applications like whoopee cushion, mosquito repellent etc. work the same way.
With a fair distance to the time the apps were installed ads are shown to lead the user to the other, very similar apps of the same developer. This often occurs hours later. Other suspicious behavior of the apps of this developer is the theft of personal data like the users’ contacts and further data, like the phone number and the IMEI of the smartphone. This data is transmitted, unencrypted, to the Typ3-Studios’ server, what adds to the impression mentioned: this is malware. After Jiang’s discovery and report, the Android Markets security team pulled the apps from the Market.
Round 2: They try it again… and succeed
In late August 2011, Typ3-Studios published a new set of apps, confusingly similar to the ones described before. Only the background color of the icons was changed. They otherwise show the same possibly malicious behavior as the prior versions but are not yet removed from the Google Market, status today.
Why haven’t those apps been removed again?
In the Android.Riskware.SndApps.B version, the only indication of a change is the added End-User-License-Agreement (short: EULA). Its popping into existence is announced merely by a short notice in its Android Market “What’s new” section. There it reads: "Please read the new <link file:26644 _blank of privacy policy and terms use>Privacy Policy and Terms of Use in the app menu." Also, the permission to let the apps advertisement service boot on start-up was now added. To interpret this behavior as malicious now seems to be hindered by the developers move to include those parts mentioned - especially when the user approves the permissions in the first place.
But, the EULA of all mentioned apps published in “round 2”, is only visible if a user presses the smartphone’s menu key. But, the apps’ only use is to play a sound after a touch and it is therefore very obvious that some users never get to see the license agreement – they implicitly agree on this EULA by using the app.
The beginning of the EULA reads as follows: “By using this Mobile Application (the "Application"), you agree to be bound by this Mobile Application Privacy Policy and Terms of Use.” Sounds quite convenient for the developers when the user never stumbles upon it, right? And the EULA’s mere existence seems to be enough for Google, to let the app pass – at least that’s the way it looks to us.
Another point that the developers had to change to not to get kicked out again was to encrypt the transmitted user-data. How easy it is to decrypt the data afterwards is not specified at all. Typ3-Studios’ apps were not only re-published, but also stayed in the Market where, status today, e.g. the whoopee cushion app was downloaded 10,000+ times.
Conclusion: Why isn’t such an app labeled as malware or at least as riskware more often?
As the title of this article indicates, labeling software as malware becomes more and more difficult, especially when the user agrees on dubious permissions.
The sole existence of an EULA should not suffice to make an (already) suspicious behavior legit. Another questionable tendency: the EULA is not easily accessible for the user. An app that includes permissions and EULA’s that are beyond the use case of the app should therefore not stand above reproach. Such an incident should at least be called riskware to call attention to circumstances the user otherwise would not notice.
What you should keep in mind when you install an app:
- Only use trustworthy sources to install software. Within the Android Market, read the reviews and comments, keep yourself informed.
- The Android Market also displays the permissions the app would like to obtain to function. Evaluate if you want to assign these permissions asked for. Security software like G Data MobileSecurity for Android can discloses these permissions even after the installation.Don’t ignore or carelessly click notifications you don’t know the origins of. Check those phases online or contact your providers support service.