A security firm that reviewed 10,000 Android apps found more than 800 of them were leaking personal data, sending the information to unauthorized servers.
Researchers from Dasient — a California-based company that provides anti-malware services to businesses — said that 11 of the apps were sending SMS messages out to other phone users.
"Some of these applications, once started, were sending premium SMS messages," Neil Daswani of Dasient told DarkReading.com."The user ends up paying for those messages, and they can be pretty expensive. It's sort of like the old 900 number scams, where if you called once, your phone would continue to incur the charges over and over again."
And in the report, while the 11 apps weren't named, the firm said:
While we did not observe any outwardly malicious text messages in our sample of 10K apps from the Android Market, we did observe 11 applications that sent text messages that could be considered spam-like. In particular, the 11 applications sent text messages to the device itself that thanked the user for installing the app and suggested sharing the app with friends. These apps are generating SMS messages that are potentially unwanted by the user.
More than 800 Android apps "leaked private information, such as IMEI and IMSIs," the firm said. "The IMEI number of a phone identifies the device, while the IMSI identifies the subscriber. These numbers are private and apps are supposed to request permission to access them for that reason. The confidentiality of these numbers is important because they can be used for fraudulent purposes, such as cloning the SIM card."
Dasient also says that while "most mobile malware attacks by trojans have relied on social engineering to encourage users to download them," there is an "emerging class of automated exploits" that resemble what are called "drive-bys" and "which don’t require the user to do anything to get infected when visiting a Web page."
Daswani will present more details from the firm's findings at next month's Black Hat conference in Las Vegas.
There are now more than 235,000 programs in the Android Market, according to AppBrain, a website for discovering Android apps.
The apps studied by Dasient "were chosen at random from 30 different categories of apps in the Android Market," the firm said in its report.
AppBrain estimates 38 percent of Android apps are "low quality," which of course, is not the same as those that have security issues.
The site's "low quality app detection filter detects automatically which apps are unlikely to be useful," AppBrain notes. "Google seems to remove apps from the market roughly once a quarter, in which case the total number of available Android apps goes down. The removed apps are almost always classified by our system as low quality apps."
Dasient says that so far, "most Android malware is not very sophisticated and usually conducts its malicious behavior with little user interaction. On one hand, cybercriminals want users to trigger their malicious application functionality fairly quickly such that they see a high conversion rate of devices infected." But, "On the other hand, Android malware will become much more sophisticated."
