madison

Dev Connection

Ed Burnette
Home / News & Blogs / Dev Connection

"I am not a villain," says alleged Android Trojan creator

By | August 23, 2010, 5:00pm PDT

Summary: Developer Max Lifshin says that whistle blowers have unfairly classified his Android application Tap Snake as a Trojan and deprived him of income by getting it banned from the Android Market.

Max Lifshin, an Android developer living in Russia the US, says his Tap Snake program is not a Trojan or virus, despite a warning from security software maker Symantec last week. Lifshin has been vilified in the press for releasing the program, which was intended for parents to track their children’s whereabouts. Reached by ZDNet for comment, Lifshin insisted that his motivations were innocent:

The app is no more malicious than a motion detection camera - everything depends on the user’s intentions. It gives all the proper warnings and requires a set up, a conscious action, to report location. It can be easily used by mothers worrying about their kids’ whereabouts. In fact, I suspect the majority of users were indeed the mothers.

For the program to work, the parent or guardian downloads and installs the innocuous looking game on their kid’s phone. During the installation process, Android asks for permission to access location information and to send and receive information to the Internet. After accepting these terms, the parent must open up a menu option and activate the tracking service with a unique key. Then they give the phone back to their child. From that point on, the game will occasionally upload its location to a server, where only somebody with the key can view it. Lifshin says:

The app is not really very different from Google’s Latitude. As any technology product, it can be put to either noble or malicious ends.

The game can be uninstalled at any time. The program run by the parent to view location information is called GPS Spy. The Market description for GPS Spy openly explained how all this works, saying:

Download and install the free Tap Snake game from the Market to the phone you want to spy on. Press MENU and register the Snake with the service. Use the GPS Spy app on your phone with the same email/code to track the location of the other phone.

However, the description of the Tap Snake game did not say anything about tracking, presumably so your child could look up the game for updates or reviews and be none the wiser. Until recently, Tap Snake was a free download and GPS Spy was $4.99. After the news came out, Google removed both apps from the Market. According to Lifshin,

What’s sad is that these “whistle blowers” have prompted Google to suspend the app and thus deprived me of income. They unfairly classified this app as a Trojan and portrayed me as a villain, a malicious Russian developer working in the shadows.

What do you think: is this a dangerous Trojan or a useful safety device for parents? Was Google right to ban it? Speak up in the Talkback section below.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Dev Connection”

Topics

Developer, Trojan Horse, GPS, Spyware, Spyware, Adware & Malware, Consumer Electronics, Personal Technology, Security, Ed Burnette

Ed Burnette is a software industry veteran with more than 25 years of experience as a programmer, author, and speaker. He has written numerous technical articles and books, most recently "Hello, Android: Introducing Google's Mobile Development Platform" from the Pragmatic Programmers.

Disclosure

Ed Burnette

Ed Burnette is a Manager of Mobile Development at SAS. However the postings on this site are his own and do not represent the positions, strategies, or opinions of his employer.

Biography

Ed Burnette

Ed Burnette has been hooked on computers ever since he laid eyes on a TRS-80 in the local Radio Shack. Since graduating from NC State University he has programmed everything from serial device drivers and debuggers to web servers. After a delightful break working on commercial video games, Ed reluctantly returned to business software. He currently develops enterprise software for Android phones and tablets.

In his copious spare time, Ed writes and speaks about all kinds of technology and software. His most recent books include the Eclipse IDE Pocket Guide from O'Reilly and Hello, Android: Introducing Google's Mobile Development Platform from the Pragmatic Programmers.

Talkback Most Recent of 30 Talkback(s)

  • It is a useful saftey device
    as everyone here will attest to the fact that Linux based devices cannot be loaded with a trojan, so it cannot be one since it can be loaded onto the operating system.
    ZDNet Gravatar
    Mister Spock
    23rd Aug 2010
  • RE:
    @Mister Spock Any operating system can run a program that does something the user doesn't want - that would be malware.

    For the mother it's "a useful utility" for the child it's malware (a trojan in fact). All depends on your point of view.

    Of course, someone installing this on their partner's phone and we'd probably take a different view.
    ZDNet Gravatar
    Jeremy-UK
    23rd Aug 2010
  • I believe Mister Spock was being sarcastic...
    @Jeremy-UK
    maybe.
    ZDNet Gravatar
    ericesque
    23rd Aug 2010
  • Mistakes made either way you argue it
    If Lifshin was indeed trying to sell a legitimate service, he made a couple of mistakes in how he designed and sold it. If his intention was less than honest, then he still made mistakes, the ones that were uncovered by Symantec.

    My daughter's phone has emergency GPS location service, it came with our family phone plan. My wife and I have access PINs, and any law enforcement officer can have it immediately report location as long as the phone is turned on. We explicitly told this to our daughter when we gave her the phone: "Keep this phone with you. If something bad happens to you or you get hurt, it is the only way we can find you." The hugs she gave us brought tears to my eyes. Kids are not stupid, at least mine aren't; you don't have to spy on them when they know you are looking out for them, not just being a control freak.
    ZDNet Gravatar
    terry flores
    23rd Aug 2010
  • I concur
    @terry flores
    Well thought out reply and one that sums up the honest intent of this software.
    ZDNet Gravatar
    FiOS-Dave
    24th Aug 2010
  • Riiiiiight.....
    And Bill Clinton didn't have sex with (wretch!) Monica Lewinsky, and OJ didn't commit a double homicide.
    ZDNet Gravatar
    Joe_Raby
    23rd Aug 2010
  • Google was right to ban it
    On the same grounds that a local supermarket has a right to and should refuse to sell soft porn magazines, Google was right to ban this. However if someone wants to install it for the right reason, they can install it as a third party app.

    But if someone does not want it installed, this is as good an opportunity to remind people to lock their phones so that unauthorized use is prohibited (meaning use a lock pattern or password or something) because once it's unlocked most smart phones let anyone install an app. This app is not a trojan horse, because the person installing it knows exactly what they are doing. This is merely an example of what can happen when you allow someone unauthorized access, or if you blindly accept access from an authority figure like your parents, your job, or your school (see the Lower Merion Township case for more on that).
    ZDNet Gravatar
    Michael Kelly
    24th Aug 2010
  • RE:
    @Michael Kelly "On the same grounds that a local supermarket has a right to and should refuse to sell soft porn magazines"

    I understand the right to refuse. Explain "they should refuse". That is a moral issue. Not an ethical issue. Businesses are not moral. They are ethical - or not, as the case may be.
    ZDNet Gravatar
    trent1
    24th Aug 2010
  • This is really pretty simple...
    Let me break this down for some that may not get it. I've been working in Information Security for about 12 years, the last year and a half has been with a company that develops mobile security products. We were actually the first to identify Tap Snake, we just didn't make it public. Tap Snake/GPS Spy is, by no means, the first spyware app to hit Android. FlexiSpy, Mobile Spy, Mobistealth, Spy Bubble all come to mind. Nor was it the first to even hit the Android Market. Look for "Girlfriend Text Message Viewer" or any of the other apps developed by "Lee Cook". He has several variants that ARE STILL in the Market.

    What this developer is missing is that every AV vendor will consider his app to be malicious because of the way it hides itself. When an app is able to monitor communication and/or location data AND it hides or obfuscates its true intent, it will be called spyware. AV vendors are erring on the side of a possible victim in these instances. I've personally been involved with law enforcement, assisting forensics investigations to figure out how a disgruntled spouse or stalker is tracking someone's location. It happens more times than I can count and could potentially turn violent.

    IMHO if this developer really was interested in providing a product that can help parents ensure their children's safety, I commend him for that. There are certainly dozens upon dozens of apps that already do that today and they have not been labeled spyware...it's about how their app interacts with the intended user and whether it is able to hide itself from a potential victim.
    ZDNet Gravatar
    tvennon
    24th Aug 2010

  • ZDNet Blogger

    GPS Spy wasn't hiding
    The intent of the software was spelled out for anyone to see in the description of the GPS Spy program. And Tap Snake didn't make itself invisible, it was right there in the list of programs that could be uninstalled. You could also look at the permissions granted to it and see that it had access both to your location and the Internet - that wasn't hidden either. What else was needed to make this not count as spyware?

    Would a sentence in Tap Snake's description in the market have been enough? You could already click on 'more applications' and see GPS Spy in the list of apps made by the same person. So the info was there, you just had to dig for it.
    ZDNet Gravatar
    Ed Burnette
    24th Aug 2010
  • Is Facebook next to be tagged as malware?
    I seem to recall just reading how Facebook for mobile devices just added a new feature to their mobile programs, which will allow friends and maybe more (depending upon your security settings), to track you. And this setting is turned ON by default. So unless you are watching carefully when you update your Facebook app, someone could track you WITHOUT YOUR KNOWLEDGE!

    At least this program was up front about what it does including the fact that it had to be installed and you would have to allow access to both the internet and the gps.

    I think that I'm missing something here...
    ZDNet Gravatar
    crap@...
    25th Aug 2010
  • Trojan or No it's up to someone to judge
    I think Lifshin claim is justifiable. If it is a legitimate company produce such a software there will be no complaints but it was because of a single individual so it is classified as Trojan.

    Just like other advertising medias who uses auto-pop up malicious programs to send force advertising. I think this is what Lifshin is trying to say to defend himself.
    ZDNet Gravatar
    antiviruskey
    24th Aug 2010
  • Unless you can hide the true purpose...
    The average teen will find out that you're tracking then and do whatever it takes to disable the installed app.

    To @terry flores - congratulations on having a responsible child (and to others in the same situation). However, there are many more kids out there that would scream bloody murder if they knew that their parents had the ability to monitor their location at will.

    If you have a responsible child, then congratulations, for the rest of us (my son was very rebellious at 16), this app would be a good tool. Since the location information must be retrieved with a private key, there's no specific danger outside of the parents' ability to learn where their child is "hanging out."

    @ tvennon - If you're worried about stalking, don't lend your phone to strangers. Then apps like this can't be installed.

    My vote - Max has been torpedoed.
    ZDNet Gravatar
    Timpraetor
    24th Aug 2010
  • The net effect...
    Just because I cannot get my product to be sold by WalMart does not mean that I have been treated unfairly.

    It is possible to install the app from outside Google Apps. At least Google is not acting like Apple in this respect.

    By banning the project from Google Apps, Google wants to create the illusion in the end-user's mind that everything on Google Apps is safe. Really? Let us know how that works out for you.
    ZDNet Gravatar
    pwatson
    24th Aug 2010
  • Follow the money
    If the carrier offers a similar tracking service and charges for it (or included at a certain plan level) then there is a motivation right there to ban a competing product.
    ZDNet Gravatar
    PepperdotNet
    24th Aug 2010
View More Comments

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
Click Here

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources