A few days ago we came across an interesting application in the Android Market, which we’ve decided to detect as AndroidOS.Tapsnake. Why are we detecting this? A cursory read through the description doesn’t tell us much, other than it’s a spin on the classic “snake” video game, which dates back to the 1970s:
"Yet another modification of the Google Android Snake game. This one listens to the taps for its turn directions."
Sure enough, after downloading and registering the game it plays as you might expect it to:
However, the Android “satellite” icon appeared in the top menu bar while the game was running, indicating that GPS data was being acquired. What was requesting this data? Well, it was a Trojan included with the game, which then uploads data to a remote server, allowing another person to monitor the location of the phone without the knowledge of the user.
In order to receive the GPS coordinates, a second, paid-for application called "GPS Spy" must be installed on another Android device. In this case, the developer describes it as an application to track another mobile:
"Download and install the free Tap Snake game app from the Market to the phone you want to spy on. Press MENU and register the app to enable the service. Use the GPS Spy app with the registered email/key on your own phone to track the location of the other phone. Shows the last 24 hour of trace in 15 min increments."
Essentially, AndroidOS.Tapsnake uploads the GPS data every 15 minutes to an application running on Google’s free App Engine service. GPS Spy then downloads the data and uses this service to conveniently display it as location points in Google Maps. This can give a pretty startling run-down of where someone carrying the phone has been:
The person monitoring the compromised phone can even view the date and time of the specific points uploaded by the Trojan:
Interestingly enough, the developer has published a number of applications that make use of GPS location services, so he or she obviously had some experience with device-tracking technologies. As is true with every Android application, this threat requires a set of rights to be installed in a device, which in this case includes location data. However, AndroidOS is designed in such a way that the user is told which APIs an application will access prior to installing it. However, what isn’t disclosed is that it will continue to run in the background, even if a user attempts to kill the application:
The silver lining here is that for the application to really be used maliciously, an attacker would need to have access to the phone to install the program. For it to work, an email address and “key” must be typed into the phone running AndroidOS.Tapsnake. This same registration information must later be typed into the phone running GPS Spy.
This would probably require a dash of social engineering as well—something like “Hey, let me show you this cool game." (Think cheating spouses or keeping tabs on children.) However, there are plenty of applications available that do the same thing and disclose this information up front, and do not claim to be something else—the primary reason we consider this a Trojan.
While certainly disconcerting, this is not a major threat and it's probably not widespread, but it shows how new mobile threats are evolving and emerging. Our advice for users of smartphones is to be careful of what you install and always check if the application you're installing is asking for rights it doesn't really need.
Note: Thanks to Mario Ballano for his analysis and Marian Borucki for his help in testing.