Thousands of Android smartphone applications “have secretly been colluding to mine our information,” according to researchers at Virginia Tech, who released a new study funded by the Defense Advanced Research Projects Agency (DARPA) this week.
The study looked at more than 110,000 pairs of Android apps, “including 100,206 of Google Play’s most popular apps and 9,994 malware apps from Virus Share, a private collection of malware app samples,” and found tens of thousands of pairs of them quietly communicating things like location data and personal information to each other without users’ permission. Specific names of offending apps do not appear to have been published.
“Out of the 100,206 most popular apps on the Google Play store, the researchers found 23,495 colluding pairs,” according to New Scientist. “However, all of these pairs contained one of just 54 apps that instigated the collusion. Those that were most likely to be up to mischief often seemed the most innocuous, such as apps that give you extra emojis, personalise your ring tone, or modify your phone’s background.”
The kind of secret Android app collusion revealed in the recently released three-year Virginia Tech study has previously been hypothesized and even detected. A report last June “found 5,056 versions of 21 apps capable of app collusion.” Yet the Virginia Tech study shows that it’s happening more commonly and on a greater scale than previously understood.
“The most risky type of collusion identified by the researchers involves apps both sharing information without the smartphone owner’s permission and then leaking it out onto the internet. They found roughly 16,000 pairs of apps that could potentially ‘collude’ in this way,” The Hill newspaper reports.
“Researchers were aware that apps may talk to one another in some way, shape, or form,” researcher Gang Wang said in releasing the study. “What this study shows undeniably with real-world evidence over and over again is that app behavior, whether it is intentional or not, can pose a security breach depending on the kinds of apps you have on your phone.”
It is unclear to what extent the collusion is happening on purpose. “It is difficult for the researchers to determine whether apps are intentionally designed to collude in this way or have bugs or design flaws that cause them to unintentionally allow access to information, Wang said,” according to The Hill. “While some apps appeared to be allowing others to access information unintentionally, some pairs — particularly those designed by the same developers — seemed to be maliciously designed to do so.”
The Virginia Tech researchers reportedly advise Android users to “take more care to read through permissions before downloading an application they might not necessarily need,” adding that something as seemingly harmless as a flashlight app could potentially leak a person’s geolocation information or a list of their contacts.
“App security is a little like the Wild West right now with few regulations,” Wang reportedly said. “We hope this paper will be a source for the industry to consider re-examining their software development practices and incorporate safeguards on the front end. While we can’t quantify what the intention is for app developers in the non-malware cases we can at least raise awareness of this security problem with mobile apps for consumers who previously may not have thought much about what they were downloading onto their phones.”