Free apps dubbed the “modern equivalent of spyware”

Free apps dubbed the “modern equivalent of spyware”

Internet security firm Bitdefender has warned that the advertising framework used by free mobile apps is turning the software into the “modern equivalent of spyware” that can monitor users throughout the day.

The company made the conclusion after analysing the most intrusive behaviours app developers can include in products, such as location tracking, reading contact lists and leaking email addresses, phone numbers and device IDs.

‘Clueful’, a privacy monitoring app created by the company, was used to look into the behaviour of 314,474 free Android apps and 207,843 free iOS apps over the past year.

The research revealed there is little between the two systems when it comes to privacy, concluding that “applications are equally invasive and curious on iOS as on Android.”

The findings for both platforms are however quite staggering. From the software looked at, 45 per cent of iOS apps have location tracking capabilities, as do 35 percent of those on Android.

19 per cent of the iOS apps are able to look at contact lists, whilst much less, 7.69 per cent or around 24 thousand Android apps can do the same.

Just under 28 thousand of the applications analysed by Clueful for Android might leak the device’s phone number to third-party advertisers resulting in nuisance calls and texts. Around 15 per cent of the apps may leak the Device ID.

Since the release of Apple’s iOS 5, the ability for apps to read the unique device identifier of iPhones has been phased out.

The reason for this state of affairs is that although these apps are free for the users, the developers are monetising the software by using personal information for advertising purposes.

“An old proverb has it that if you’re not paying for it, then you are the product being sold,” says Catalin Cosoi, Chief Security Strategist at Bitdefender. “The application becomes free only after the user has paid for it with his or her privacy.”

This ad support model has of course been around for nearly as long as the Internet and is how the free services of online giants such as Google and Yahoo are funded.

However Cosoi explains that with mobile advertising things are different: “Mobile adware tightly integrates with the device – it does not run inside the browser, isolated from other applications. 

“On mobiles, advertising frameworks can learn your communications habits, friends, friends’ contacts, location and – more frequently – all of the above at the same time.”  

What’s more, this is often done without users even realising it is happening or being aware of what they agreed during installation.

Some of the offending apps identified by Bitdefender:

Location tracking

Android:

Latest Nail Fashion Trends (v. 3.1) (has an estimated user base of between 100,000 and 500,000).

iOS:

PokerStars TV (v. 2.2.2.0) and Cheezburger (v. 1.2.2 ) both use geolocation to track users’ exact location.

Reads contact list

iOS:

OLJ (v. 1.1) – reads contact names and contacts’ email addresses and sends them to a remote server.

3D Badminton II (v. 2.026) – reads contacts’ emails and sends them to a server in Hong Kong.

Leaks email addresses or device ID

Android:

Logo Quiz Car Choices (v. 1.8.2.9) (between 100,000 and 500,000 installations).

Football Games – Soccer Juggle (v. 1.4.2) (between 100,000 and 500,000 installations).

Attempts to leak phone numbers

Android:

Football Games – Soccer Juggle (v. 1.4.2) (between 100,000 and 500,000 installations).

Button Football (Soccer) (v. 1.10.3) (between 1,000,000 and 5,000,000 installations)

Leave a comment on this article

Topics