Google Bans GPS Spy App, Developer Cries Foul

Malware may be difficult to define but, as former U.S. Supreme Court Justice Potter Stewart famously quipped about pornography “you know it when you see it.” At least that’s the position being taken by Google and anti malware firms about two applications designed for mobile phones running Google’s Android operating system. Now the developer is crying foul.

Malware may be difficult to define but, as former U.S. Supreme Court Justice Potter Stewart famously quipped about pornography “you know it when you see it.” At least that’s the position being taken by Google and anti malware firms about two applications designed for mobile phones running Google’s Android operating system. Now the developer is crying foul.

The dispute arose on August 16 after Symantec Corp. published a warning on its research blog, Security Response, about a game for Android mobile phones developed by Maxicom (http://maxicom.net/), a Newton, Massachusetts-based consulting and application development firm. The game, Tapsnake, disguised location monitoring features, prompting Symantec to declare it a Trojan application and publish a signature to detect it. Finnish anti malware firm F-Secure followed, a day later, with a post on its research blog also warning about Tapsnake and declaring it a malicious mobile spying program.

The applications: GPS Spy and Tap Snake were designed to work in tandem, said Max Lifshin, sole proprietor of Maxicom and the developer of GPS Spy, Tapsnake and a slew of other location-based applications for the Android OS. Tap Snake is a free download and acts as a client application reporting the location of the phone on which it is installed every 15 minutes to an application running on Google’s free App Engine service. The GPS Spy application, which sells for $4.99, downloads that data and displays it as location points on Google Maps, recreating the travels of the person carrying the phone running Tapsnake. 

F-Secure likened the applications to other commercial programs like FlexiSPY,a remote monitoring tool marketed as a tool to “catch cheating spouses” and monitor the whereabouts of children. FlexiSpy includes call tapping capabilities and runs on a  variety of phones (though not Android) and retails for $349 described as malicious spying applications. 

The warnings from Symantec and F-Secure and the resulting press coverage got the attention of Google, which suspended both applications from its Android Market shortly after. A Google spokesman confirmed that the applications were removed because of a “policy violation,” but declined to say what that violation was. Google’s Android Market Content Policy for Developers asks developers to avoid uploading applications to the Market that invade the personal privacy of users: a policy that Tapsnake clearly seems to violate.

Speaking with Threatpost, Lifshin said that GPS Spy and Tapsnake were location tracking programs, but were not malicious. Like other applications that use geolocation, including Google’s Latitude, GPS Spy and Tapsnake could also be used for malicious ends, he said. 

“The app is no more malicious than a motion detection camera,” Lifshin wrote in an e-mail. “Everything depends on user’s intentions. It gives all the proper warnings and requires a set up, a conscious action to report location.” 

 
What’s sad that these “whistleblowers” from F-Secure have prompted Google to suspend the app and thus deprived me of some income. They also have portrayed me as a villain, a malicious Russian developer working in the shadows. I am indeed a Russian American, but my Russianness have nothing to do with the whole thing.”The app(lication) is no more malicious than a motion detection camera. Everything depends on the user’s intentions. It gives all the proper warnings and requires a set up, a conscious action,  to report location,” he wrote in an e-mail. 

In order to activate the location features, Lifshin said, someone would need to have physical access to the mobile phone to both install the game and then activate the GPS features. He said the program could be used for spying by a spouse, or by parents who want to monitor the whereabouts of their teenager. Lifshin said that the instructions that accompany the game make it clear what purpose the applications have.

Symantec Corp.’s analysts acknowledged as much in their blog post, admitting that “a dash of social engineering” would be needed to activate the spying program, in addition to physical access to the phone. Other programs offer remote monitoring. The difference, according to Symantec, is that, unlike Tapsnake, they “disclose this information up front, and do not claim to be something else—the primary reason we consider this a Trojan.”

F-Secure reached a similar conclusion, according to Chief Research Officer Mikko Hyppönen. 

“The idea behind this attack is that someone borrows your phone and installs the Tap Snake game – to be able to later see your whereabouts. As you are not installing the game yourself, you will never see the Android OS warning shown during the installation of an application that accesses your location information,” Hyppönen wrote in an e-mail message to Threatpost. After that, he notes, Tapsnake will “automatically start every time you restart your phone, and it will continue running in a hidden mode, even if you think you exited the game.”

F-Secure said customers who install our Android security software would expect to get warned if they have Tapsnake running on their phone. The company has signatures for similar programs, such as Flexispy. “They can choose to ignore the warning if they *really* want to run it. I doubt many do,” he wrote.

Lifshin said that he sold around 150 copies of GPS Spy before it was removed from the Android Market. He argues that the guidelines for what is and isn’t malicious are unclear, and says that Google has not contacted him to explain what policies he violated or why his applications were removed from the Android Market. “I’m in limbo, here,” he said. 

Disputes over what does and doesn’t count as “malicious” are bound to increase as mobile application ecosystems continue their rapid growth. The appearance in recent weeks of an SMS Trojan for Android and similar programs for iPhone and RIM’s BlackBerry suggest that mobile malware may have reached a tipping point. And, as developers swarm to new mobile platforms has created an opportunity for well or ill intentioned developers to distribute malicious applications, security experts have warned. 

Though disappointed, Lifshin said he’s not interested in pursuing the issue with Google and prefers to focus on other applications, like a recent Treasure Hunt game for Android, that find novel applications for the phone’s geolocation features.  

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.

Discussion

  • global geetha on

    <!-- /* Font Definitions */ @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4; mso-font-charset:1; mso-generic-font-family:roman; mso-font-format:other; mso-font-pitch:variable; mso-font-signature:0 0 0 0 0 0;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4; mso-font-charset:0; mso-generic-font-family:swiss; mso-font-pitch:variable; mso-font-signature:-1610611985 1073750139 0 0 159 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-unhide:no; mso-style-qformat:yes; mso-style-parent:""; margin-top:0in; margin-right:0in; margin-bottom:10.0pt; margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:Calibri; mso-fareast-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} .MsoChpDefault {mso-style-type:export-only; mso-default-props:yes; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:Calibri; mso-fareast-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} .MsoPapDefault {mso-style-type:export-only; margin-bottom:10.0pt; line-height:115%;} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in; mso-header-margin:.5in; mso-footer-margin:.5in; mso-paper-source:0;} div.Section1 {page:Section1;} -->

    Mobile Application Development has changed our lifestyle by bringing the world to our fingertips!

  • Jennifer on

    Googles response is inane! This "game" is clearly designed to fool the installer and, even if it doesn't link with GPS Spy, it will leach the battery by frequently seeking (and not declaring) the GPS signal. Warning dialogs are fine but when an app developer is clearly subverting the process, Google should pull the app and send an update warning to anyone who has it installed.



    Open systems don't mean open to having your privacy removed.

    Jenni @  IPhone Spy App

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.