The good news, according to academic researchers, is that your phone most likely isn’t secretly listening to your conversations. The bad news is that fears of Android apps spying on users aren’t totally unfounded.
Computer science researchers at Northeastern University in Boston conducted a massive study of 17,260 Android apps from the Google Play store, as well as third-party marketplaces AppChina, Mi.com and Anzhi. The study, which was published this week in a research paper titled “Panoptispy: Characterizing Audio and Video Exfiltration from Android Applications,” found no evidence that apps were secretly enabling device microphones to record and exfiltrate audio data. However, the research team did find evidence of “several” Android apps spying on users by recording video and images of users’ screens.
“Our study reveals several alarming privacy risks in the Android app ecosystem, including apps that over-provision their media permissions and apps that share image and video data with other parties in unexpected ways, without user knowledge or consent,” the researchers wrote. “We also identify a previously unreported privacy risk that arises from third-party libraries that record and upload screenshots and videos of the screen without informing the user and without requiring any permissions.”
The research team, which used a combination of static and dynamic code analysis, didn’t specify the number of Android apps found spying on users, but the paper did say it was “few” compared to the total number of apps reviewed. “On the one hand, this is good news: a very large fraction of apps are not abusing the ability to record media,” the researchers wrote. “On the other hand, it could also indicate that our analysis missed other cases of media leaks.”
The Northeastern University team cited several examples of popular apps that engaged in unauthorized recording of users’ screens, including GoPuff, a food delivery app. The researchers discovered the app sent captured video via the internet to a domain belonging to web analytics firm Appsee, and that the video recording could include personally identifiable information such as ZIP codes. The researchers said that Appsee’s software required no permissions to record the video and did not issue notifications to users.
Northeastern University’s “Panoptispy” research comes as Google has increased its efforts to curb potential Android app spying. The company previewed the security features of Android P, the newest version of the mobile OS, at the Google I/O conference in May. Android P will only grant access to device sensors such as microphones and cameras to apps in the foreground, preventing potentially harmful apps from running covertly in the background and using sensors to spy on users. However, that particular feature wouldn’t prevent apps like GoPuff from performing unauthorized video exfiltration.
In other news
- A former employee of NSO Group Technologies, an Israeli company that specializes in spyware and iPhone hacking tools, has reportedly landed in hot water. According to an indictment, Israeli authorities claim an unnamed NSO employee stole the company’s Pegasus spyware product and tried to sell it for $50 million in cryptocurrency. According to reports, the indictment states the disgruntled employee began working for NSO last year as a senior programmer and was granted access to the company’s source code. The indictment also claims the employee posed as a hacker and tried to sell the Pegasus code to other hackers on the dark web; one potential buyer notified NSO of the matter, which investigated the individual with the assistance of law enforcement.
- Computer scientists from the University of California, Irvine, published research regarding a new attack technique they call “Thermanator,” which records thermal residue on keyboard keys to determine users’ passwords and other sensitive information such as PINs. According to the researchers, a midrange thermal imaging camera could allow threat actors to observe and record keystroke. “Results show that entire sets of key-presses can be recovered by non-expert users as late as 30 seconds after initial password entry, while partial sets can be recovered as late as 1 minute after entry,” the research paper states. While attackers would need to have a clear view of a target’s keyboard, the researchers say the Thermanator attack shows that “using external keyboards to enter (already much-maligned) passwords is even less secure than previously recognized.”
- A newly discovered update of malware descended from an old Trojan is now equipped with a downloader that can decide whether to mine cryptocurrencies or encrypt files for ransom on victim systems. Kaspersky Lab researchers Egor Vasilenko and Orkhan Mamedov wrote that the new version of the malware, which is related to the Rakhni family of ransomware that Kaspersky Lab uncovered in 2013, checks system attributes before downloading its malicious payload, specifically looking at whether there is a folder named %AppData%Bitcoin. If the folder is present, then the downloader selects the ransomware cryptor; “If the folder doesn’t exist and the machine has more than two logical processors, the miner will be downloaded. If there’s no folder and just one logical processor, the downloader jumps to its worm component,” to continue propagating the malware locally, the researchers wrote. The cryptomining malware mines for the Monero, Monero Original and Dashcoin cryptocurrencies.