"I am not a villain," says alleged Android Trojan creator

"I am not a villain," says alleged Android Trojan creator

Summary: Developer Max Lifshin says that whistle blowers have unfairly classified his Android application Tap Snake as a Trojan and deprived him of income by getting it banned from the Android Market.

SHARE:

Max Lifshin, an Android developer living in Russia the US, says his Tap Snake program is not a Trojan or virus, despite a warning from security software maker Symantec last week. Lifshin has been vilified in the press for releasing the program, which was intended for parents to track their children's whereabouts. Reached by ZDNet for comment, Lifshin insisted that his motivations were innocent:

The app is no more malicious than a motion detection camera - everything depends on the user's intentions. It gives all the proper warnings and requires a set up, a conscious action, to report location. It can be easily used by mothers worrying about their kids' whereabouts. In fact, I suspect the majority of users were indeed the mothers.

For the program to work, the parent or guardian downloads and installs the innocuous looking game on their kid's phone. During the installation process, Android asks for permission to access location information and to send and receive information to the Internet. After accepting these terms, the parent must open up a menu option and activate the tracking service with a unique key. Then they give the phone back to their child. From that point on, the game will occasionally upload its location to a server, where only somebody with the key can view it. Lifshin says:

The app is not really very different from Google's Latitude. As any technology product, it can be put to either noble or malicious ends.

The game can be uninstalled at any time. The program run by the parent to view location information is called GPS Spy. The Market description for GPS Spy openly explained how all this works, saying:

Download and install the free Tap Snake game from the Market to the phone you want to spy on. Press MENU and register the Snake with the service. Use the GPS Spy app on your phone with the same email/code to track the location of the other phone.

However, the description of the Tap Snake game did not say anything about tracking, presumably so your child could look up the game for updates or reviews and be none the wiser. Until recently, Tap Snake was a free download and GPS Spy was $4.99. After the news came out, Google removed both apps from the Market. According to Lifshin,

What's sad is that these "whistle blowers" have prompted Google to suspend the app and thus deprived me of income. They unfairly classified this app as a Trojan and portrayed me as a villain, a malicious Russian developer working in the shadows.

What do you think: is this a dangerous Trojan or a useful safety device for parents? Was Google right to ban it? Speak up in the Talkback section below.

Topics: Malware, Hardware, Mobility, Security, Software Development

Ed Burnette

About Ed Burnette

Ed Burnette is a software industry veteran with more than 25 years of experience as a programmer, author, and speaker. He has written numerous technical articles and books, most recently "Hello, Android: Introducing Google's Mobile Development Platform" from the Pragmatic Programmers.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

22 comments
Log in or register to join the discussion
  • It is a useful saftey device

    as everyone here will attest to the fact that Linux based devices cannot be loaded with a trojan, so it cannot be one since it can be loaded onto the operating system.
    Tim Cook
    • RE:

      @Mister Spock Any operating system can run a program that does something the user doesn't want - that would be malware.

      For the mother it's "a useful utility" for the child it's malware (a trojan in fact). All depends on your point of view.

      Of course, someone installing this on their partner's phone and we'd probably take a different view.
      Jeremy-UK
      • I believe Mister Spock was being sarcastic...

        @Jeremy-UK
        maybe.
        ericesque
  • Mistakes made either way you argue it

    If Lifshin was indeed trying to sell a legitimate service, he made a couple of mistakes in how he designed and sold it. If his intention was less than honest, then he still made mistakes, the ones that were uncovered by Symantec.

    My daughter's phone has emergency GPS location service, it came with our family phone plan. My wife and I have access PINs, and any law enforcement officer can have it immediately report location as long as the phone is turned on. We explicitly told this to our daughter when we gave her the phone: "Keep this phone with you. If something bad happens to you or you get hurt, it is the only way we can find you." The hugs she gave us brought tears to my eyes. Kids are not stupid, at least mine aren't; you don't have to spy on them when they know you are looking out for them, not just being a control freak.
    terry flores
    • I concur

      @terry flores
      Well thought out reply and one that sums up the honest intent of this software.
      FiOS-Dave
  • Riiiiiight.....

    And Bill Clinton didn't have sex with (wretch!) Monica Lewinsky, and OJ didn't commit a double homicide.
    Joe_Raby
  • Google was right to ban it

    On the same grounds that a local supermarket has a right to and should refuse to sell soft porn magazines, Google was right to ban this. However if someone wants to install it for the right reason, they can install it as a third party app. <br><br>But if someone does not want it installed, this is as good an opportunity to remind people to lock their phones so that unauthorized use is prohibited (meaning use a lock pattern or password or something) because once it's unlocked most smart phones let anyone install an app. This app is not a trojan horse, because the person installing it knows exactly what they are doing. This is merely an example of what can happen when you allow someone unauthorized access, or if you blindly accept access from an authority figure like your parents, your job, or your school (see the Lower Merion Township case for more on that).
    Michael Kelly
    • RE:

      @Michael Kelly "On the same grounds that a local supermarket has a right to and should refuse to sell soft porn magazines"

      I understand the right to refuse. Explain "they should refuse". That is a moral issue. Not an ethical issue. Businesses are not moral. They are ethical - or not, as the case may be.
      trent1
  • This is really pretty simple...

    Let me break this down for some that may not get it. I've been working in Information Security for about 12 years, the last year and a half has been with a company that develops mobile security products. We were actually the first to identify Tap Snake, we just didn't make it public. Tap Snake/GPS Spy is, by no means, the first spyware app to hit Android. FlexiSpy, Mobile Spy, Mobistealth, Spy Bubble all come to mind. Nor was it the first to even hit the Android Market. Look for "Girlfriend Text Message Viewer" or any of the other apps developed by "Lee Cook". He has several variants that ARE STILL in the Market.

    What this developer is missing is that every AV vendor will consider his app to be malicious because of the way it hides itself. When an app is able to monitor communication and/or location data AND it hides or obfuscates its true intent, it will be called spyware. AV vendors are erring on the side of a possible victim in these instances. I've personally been involved with law enforcement, assisting forensics investigations to figure out how a disgruntled spouse or stalker is tracking someone's location. It happens more times than I can count and could potentially turn violent.

    IMHO if this developer really was interested in providing a product that can help parents ensure their children's safety, I commend him for that. There are certainly dozens upon dozens of apps that already do that today and they have not been labeled spyware...it's about how their app interacts with the intended user and whether it is able to hide itself from a potential victim.
    tvennon
    • GPS Spy wasn't hiding

      The intent of the software was spelled out for anyone to see in the description of the GPS Spy program. And Tap Snake didn't make itself invisible, it was right there in the list of programs that could be uninstalled. You could also look at the permissions granted to it and see that it had access both to your location and the Internet - that wasn't hidden either. What else was needed to make this not count as spyware?

      Would a sentence in Tap Snake's description in the market have been enough? You could already click on 'more applications' and see GPS Spy in the list of apps made by the same person. So the info was there, you just had to dig for it.
      Ed Burnette
      • Is Facebook next to be tagged as malware?

        I seem to recall just reading how Facebook for mobile devices just added a new feature to their mobile programs, which will allow friends and maybe more (depending upon your security settings), to track you. And this setting is turned ON by default. So unless you are watching carefully when you update your Facebook app, someone could track you WITHOUT YOUR KNOWLEDGE!

        At least this program was up front about what it does including the fact that it had to be installed and you would have to allow access to both the internet and the gps.

        I think that I'm missing something here...
        crap@...
  • Trojan or No it's up to someone to judge

    I think Lifshin claim is justifiable. If it is a legitimate company produce such a software there will be no complaints but it was because of a single individual so it is classified as Trojan.

    Just like other advertising medias who uses auto-pop up malicious programs to send force advertising. I think this is what Lifshin is trying to say to defend himself.
    antiviruskey
  • Unless you can hide the true purpose...

    The average teen will find out that you're tracking then and do whatever it takes to disable the installed app.

    To @terry flores - congratulations on having a responsible child (and to others in the same situation). However, there are many more kids out there that would scream bloody murder if they knew that their parents had the ability to monitor their location at will.

    If you have a responsible child, then congratulations, for the rest of us (my son was very rebellious at 16), this app would be a good tool. Since the location information must be retrieved with a private key, there's no specific danger outside of the parents' ability to learn where their child is "hanging out."

    @ tvennon - If you're worried about stalking, don't lend your phone to strangers. Then apps like this can't be installed.

    My vote - Max has been torpedoed.
    Timpraetor
  • The net effect...

    Just because I cannot get my product to be sold by WalMart does not mean that I have been treated unfairly.

    It is possible to install the app from outside Google Apps. At least Google is not acting like Apple in this respect.

    By banning the project from Google Apps, Google wants to create the illusion in the end-user's mind that everything on Google Apps is safe. Really? Let us know how that works out for you.
    pwatson
  • Follow the money

    If the carrier offers a similar tracking service and charges for it (or included at a certain plan level) then there is a motivation right there to ban a competing product.
    PepperdotNet
  • Getting tired of security companies crying wolf

    Seriously, if there ever is a truly malicious program out there, I'll probably ignore all the warnings, because everything so far has been pretty much bogus. I get that they're trying to push their security software, but I think it's crap that they have to drag other developers through the mud to do so. <br>Based on that description the app did exactly what it said it would do. That's like banning the app that makes it look like your screen is cracked, because it tries to trick the viewer.<br>I also think it's crap that Google removed his app... I can see temporarily suspending it to investigate, but they should let him put it back on the market, with maybe a few changes to the description. (Oh, and how about not limiting our descriptions to 325 characters, Google?)
    anakin78z
  • Useful app (based on description/use)

    Parents are responsible for the safety and actions of their children. In that context the application has legitimate use.
    Keeping Current
  • Responsibility

    If your child is responsible, why not explain how this works and let your child decide if it should be installed?
    FiOS-Dave
  • It's a Trojan

    Because Tap Snake is a mask for a spying software, it is a Trojan Horse virus. Dude needs to man up and take away the mask.
    prof.ebral
    • RE:

      @prof.ebral Even if does what the description of the app says it does, and you have to manually enable it?
      Is Pandora a trojan because it can send text messages if you ask it to share a song, even though it's 'posing' as a music player?
      Also, it's not a virus, as it does not spread or infect anything.
      anakin78z