Free applications may offer premium content at no cost, but they often require personal information to be surrendered.
According to Michael Sutton, director of security research at ZScaler, those privileges may allow a user to be monitored, and sensitive information potentially viewed and compromised. In the case of the owner of a company-owned device being allowed to download applications, they may download a free application that could monitor and access connections.
Sutton said that users should assume you are being watched if you choose to download free applications or apps from “unofficial” app stores, as these are set up to harvest details. “People need to be aware of this stuff and I don’t think that they are,” he said.
“A free app wants to deliver meaningful advertisements, so the app will grab whatever it can to track that device, not the person, and if the same advertising SDK is used on many apps it can track that same device. So it can create a profile of me and deliver meaningful ads. Some people don’t care about that, but some people don’t like it at all as it tracks me and my behaviour.”
According to a list of the most popular apps by Global Web Index, these are social networks which require personal or geo-location data. “The top ten apps will not be doing anything worse than number 10,000 or number 20,000,” said Sutton.
“Most of what we see that is malicious is not on official app stores; everything malicious comes from third party stores. The majority are fake or cloned versions, and the majority of what they do is SMS fraud.”
According to research released last month by ZScaler, the Android malware MouaBad.P has the ability to read, write, send and receive SMS messages. “Forcing Android applications to initiate calls to premium phone numbers controlled by the attackers is a common revenue generation scheme that we see, particularly in Android application distributed in third party Android app stores,” the research said.
Sutton claimed that its analysis of apps shows common themes across privacy as apps are often aggressive in terms of the user data that they want access to, and it is often because they are free apps. “They track user information because the advertisers want that.”
As ZScaler detailed in August, privacy-related data that is collected typically includes the Device UDID; personal identification information; SMS and call activity and the ability to write to external storage.