GPS Tracking Trojan Hidden In Android App

A Trojan, hidden within an Android phone application, enables third parties to secretly track the location of the user via GPS

Security firm Symantec has warned of a new Trojan hidden within an Android game, which secretly uploads GPS user location information to a remote server, allowing another person to monitor the location of the phone without the knowledge of the user.

Dubbed AndroidOS.Tapsnake, the game in which the Trojan is hidden is a variation on the classic “snake” video game. According to its description in the Android Market, “This one listens to the taps for its turn directions”.

Location regularly updated

Researchers at Symantec picked up on the Trojan when they noticed that the Android “satellite” icon appeared in the top menu bar whenever the game was running. They discovered that the Tapsnake application was uploading GPS data every 15 minutes to an application running on Google’s free App Engine service.

This data can then be downloaded to a separate Android device, via a paid-for application called “GPS Spy”, which displays the data as location points in Google Maps. The person monitoring the compromised phone can also view the date and time of the specific points uploaded by the Trojan. This can paint a clear picture of where the Tapsnake user has been over the last 24 hours.

“The silver lining here is that for the application to really be used maliciously, an attacker would need to have access to the phone to install the program,” stated the Symantec blog. “For it to work, an email address and ‘key’ must be typed into the phone running AndroidOS.Tapsnake. This same registration information must later be typed into the phone running GPS Spy.”

The researchers explained that this would probably require a fair amount of social engineering – “something like ‘Hey, let me show you this cool game.’ (Think cheating spouses or keeping tabs on children.)” For this reason, they have concluded that it is not a major threat and probably not widespread. However, the fact that the application is disguised as something it’s not classifies it as a Trojan.

“Our advice for users of smartphones is to be careful of what you install and always check if the application you’re installing is asking for rights it doesn’t really need,” said Symantec.

Mobile security

Mobile security is increasingly becoming a priority, with many companies looking for enterprise-grade security and management for their employees’ smartphones. According to a recent survey by the Ponemon Institute, most respondents believe in the importance of anti-virus and anti-malware on mobile devices, as well as encryption, but are concerned about the cost of prevention methods.

Last week, a reporter at the BBC created a smartphone application which spies on the owner of the device, in an attempt to prove how straightforward it is to create malicious software for mobiles. The malware, disguised as a simple noughts and crosses game, hid under the hood gathering contacts, copying text messages, logging the phone’s location and sending it to a specially set up email address.

Meanwhile, BlackBerry maker Research In Motion is at the centre of a mobile security controversy, after governments in United Arab Emirates, Saudi Arabia and India threatened to block the sending of emails, accessing the Internet, and delivering instant messages to RIM’s Blackberry handsets. The level of encryption that RIM provides prevents security services from monitoring the devices, and the governments claim this a security issue.