Malware may be difficult to define but, as former U.S. Supreme Court Justice Potter Stewart famously quipped about pornography “you know it when you see it.” At least that’s the position being taken by Google and anti malware firms about two applications designed for mobile phones running Google’s Android operating system. Now the developer is crying foul.
The dispute arose on August 16 after Symantec Corp. published a warning on its research blog, Security Response, about a game for Android mobile phones developed by Maxicom (http://maxicom.net/), a Newton, Massachusetts-based consulting and application development firm. The game, Tapsnake, disguised location monitoring features, prompting Symantec to declare it a Trojan application and publish a signature to detect it. Finnish anti malware firm F-Secure followed, a day later, with a post on its research blog also warning about Tapsnake and declaring it a malicious mobile spying program.
The applications: GPS Spy and Tap Snake were designed to work in tandem, said Max Lifshin, sole proprietor of Maxicom and the developer of GPS Spy, Tapsnake and a slew of other location-based applications for the Android OS. Tap Snake is a free download and acts as a client application reporting the location of the phone on which it is installed every 15 minutes to an application running on Google’s free App Engine service. The GPS Spy application, which sells for $4.99, downloads that data and displays it as location points on Google Maps, recreating the travels of the person carrying the phone running Tapsnake.
F-Secure likened the applications to other commercial programs like FlexiSPY,a remote monitoring tool marketed as a tool to “catch cheating spouses” and monitor the whereabouts of children. FlexiSpy includes call tapping capabilities and runs on a variety of phones (though not Android) and retails for $349 described as malicious spying applications.
The warnings from Symantec and F-Secure and the resulting press coverage got the attention of Google, which suspended both applications from its Android Market shortly after. A Google spokesman confirmed that the applications were removed because of a “policy violation,” but declined to say what that violation was. Google’s Android Market Content Policy for Developers asks developers to avoid uploading applications to the Market that invade the personal privacy of users: a policy that Tapsnake clearly seems to violate.
Speaking with Threatpost, Lifshin said that GPS Spy and Tapsnake were location tracking programs, but were not malicious. Like other applications that use geolocation, including Google’s Latitude, GPS Spy and Tapsnake could also be used for malicious ends, he said.
“The app is no more malicious than a motion detection camera,” Lifshin wrote in an e-mail. “Everything depends on user’s intentions. It gives all the proper warnings and requires a set up, a conscious action to report location.”
In order to activate the location features, Lifshin said, someone would need to have physical access to the mobile phone to both install the game and then activate the GPS features. He said the program could be used for spying by a spouse, or by parents who want to monitor the whereabouts of their teenager. Lifshin said that the instructions that accompany the game make it clear what purpose the applications have.
Symantec Corp.’s analysts acknowledged as much in their blog post, admitting that “a dash of social engineering” would be needed to activate the spying program, in addition to physical access to the phone. Other programs offer remote monitoring. The difference, according to Symantec, is that, unlike Tapsnake, they “disclose this information up front, and do not claim to be something else—the primary reason we consider this a Trojan.”
F-Secure reached a similar conclusion, according to Chief Research Officer Mikko Hyppönen.
“The idea behind this attack is that someone borrows your phone and installs the Tap Snake game – to be able to later see your whereabouts. As you are not installing the game yourself, you will never see the Android OS warning shown during the installation of an application that accesses your location information,” Hyppönen wrote in an e-mail message to Threatpost. After that, he notes, Tapsnake will “automatically start every time you restart your phone, and it will continue running in a hidden mode, even if you think you exited the game.”
F-Secure said customers who install our Android security software would expect to get warned if they have Tapsnake running on their phone. The company has signatures for similar programs, such as Flexispy. “They can choose to ignore the warning if they *really* want to run it. I doubt many do,” he wrote.
Lifshin said that he sold around 150 copies of GPS Spy before it was removed from the Android Market. He argues that the guidelines for what is and isn’t malicious are unclear, and says that Google has not contacted him to explain what policies he violated or why his applications were removed from the Android Market. “I’m in limbo, here,” he said.
Disputes over what does and doesn’t count as “malicious” are bound to increase as mobile application ecosystems continue their rapid growth. The appearance in recent weeks of an SMS Trojan for Android and similar programs for iPhone and RIM’s BlackBerry suggest that mobile malware may have reached a tipping point. And, as developers swarm to new mobile platforms has created an opportunity for well or ill intentioned developers to distribute malicious applications, security experts have warned.
Though disappointed, Lifshin said he’s not interested in pursuing the issue with Google and prefers to focus on other applications, like a recent Treasure Hunt game for Android, that find novel applications for the phone’s geolocation features.
