With any major event these days, fake mobile applications are sure to turn up. Security researchers at Webroot found an Olympics application that says it will keep you up to date on scores, but really keeps your data.
The Android app, called “London Olympics Widget,” pretends to deliver Olympics game results to the downloader but instead grabs the user’s contact information, GPS location, Internet browsing history, and the phone’s unique identifying number. Perhaps scariest of all, it reads all the SMS messages sent and received on the phone.
“There is some confusion on this being a Trojan, this is in fact a Potentially Unwanted Application that contains aggressive add-on SDK’s,” said Armando Orozco, threat research analyst at Webroot in an e-mail to VentureBeat. “They are typically advertising add-ons that are capable of displaying advertisements in the notification bar, collecting personal data, creating ad-related bookmarks and home screen shortcuts.”
Advertising is becoming a big issue, with many users starting to fear advertisers more than “the bad guys,” or government surveillance. Indeed, at the Black Hat conference in Las Vegas, a crowd was asked what they were most afraid of, Google or the government, and a resounding number of people chose Google.
The app was found on a third-party app marketplace, not Google Play.
Between iOS and Android, the latter is much more insecure than the former. Android is much more open than iOS. Phones running Android can download from a number of different sources, whereas iPhones and iPads can only download apps from the Apple App Store, which looks at every single app and makes sure it follows certain guidelines before it goes live.
Apple’s iOS isn’t perfect, however. Apple’s force-field of a sandboxing system didn’t keep out one “Trojan” app, which was removed in early July. The app, named “Find and Call” said it was a way to organize contacts but harvested contacts in the background. On top of that, the app sent spam messages to those contacts, pretending to be the phone-owner, with messages inviting them to download the app. After being kicked out of the App Store in early July, the developers said the Trojan-like features stemmed from a bug in its system, which was being corrected.
Webroot suggests those looking for an Olympics app stick to the official ones, such as the London 2012 Olympics results app, as well as the BBC app and the NBC app. The company also says you should “rethink access.” If an app wants access to your contacts or location, you might want to say no.
We’ve reached out to Google for comment and will update upon hearing back.