Android 'Snake' Trojan harvests GPS data
An Android game that secretly harvests GPS data has been discovered on the Android Market by security firm Symantec.
The free game — called Tap Snake — was identified by the company on 12 August and announced in a blog post on Monday after it had updated its antivirus signature to identify the newly classified Trojan as AndroidOS.Tapsnake.
The app appears as a classic game of Snake, but once installed and registered, it will periodically send location reports to a remote server, according to Symantec. However, in order to access the location updates, the snooping software requires a counterpart app — called GPS Spy — to be installed on the 'attacker' handset.
In addition, the same email and passkey credentials used when downloading Tap Snake must be entered into the GPS Spy app in order for the attacker handset to receive the location details. GPS Spy will then check the whereabouts of the targeted handset every 15 minutes to present up-to-the-minute location data and data for the preceding 24 hours.
Symantec has classified the threat level for the malware as very low, as local access to the device is required to input the email and passkey information. However, the company decided to classify it as a Trojan because the Tap Snake app has undisclosed functionality. However, GPS Spy, which is a paid-for download — fully explains how to use the two apps in its description.
"In the installation process, the application [Tap Snake] does call out that it accesses location data. But exactly what it does with that — the geolocation and tracking part of it — are not explicitly called out... Because this secondary and somewhat hidden tracking is entirely unrelated to the game, we felt that it made sense to detect it as a Trojan. Unfortunately, the tracking behaviour provides no benefit to the person who downloaded the game," explained Kevin Hogan, senior manager at Symantec Security Response, to ZDNet UK.
Hogan added that the app could, in theory, be used to harvest other sensitive information, but in reality it would require a major rewrite of the code.
"It wouldn't really be the same thing. It's like saying, 'could you take Microsoft Word and make it into Excel?' Well, yes, you could if you rewrote large parts of it entirely, but no, not easily," said Hogan. Even so, he did warn that this could only be the beginning for Android-specific attacks.
"The nature of Android is such that it's a far more open platform. The marketplace itself is obviously a lot more open and unstructured, relative to something like the iPhone App Store," Hogan noted. "Simply because of the environment, the Android itself is going to end up being so widely used and on so many different handsets. That in itself, irrelevant of openness or any of the other aspects, will probably lead to more of these types of applications and beyond that, things that are more malicious than this."
An Android SMS Trojan was discovered in Russia and found to be targeting the Android platform by sending text messages to premium rate numbers. However, security researchers said last Wednesday that the risk to UK users was "minimal".
The Palm Pre was also found last Wednesday to be vulnerable to snooping software that would allow an attacker to record and transmit recordings of conversations to a remote server without a user's consent. Palm later informed ZDNet UK that it had patched the hole in the latest version of WebOS.