There’s No Such Thing as a Free App

If I were a professional electrician and I put out an ad saying that I would fix any electrical problem you have for free, your first question would probably be, “what’s the catch?” In the real world, we understand that no one does any real work for free. But maybe you really need some help with an electrical problem and you don’t have much money. So you give me a chance, and, surprisingly, I fix your problem. Great, right?

But what if my true profession was as a burglar, and all I really wanted to do was to see how secure your home was. Maybe I could even disable your security system. Or, maybe I really am an electrician, but I’m hired by a group of criminals who want to find out some information on what’s in your house. In that case, I would get my money by working for them. In other words, you’d still pay for my work, but not in the way you expected.

It’s the same with free apps. Why would someone want to give you, for free, something that they’ve spent a lot of time working on? Just like in the real world example, your first question should be, “what’s the catch?” But even though I write about security and am probably more paranoid than the average person, when I find an app that I really want, I have a tendency to overlook normal precautions. After all, I really want this app and it’s free!

Unlike normal operating systems, android, according to a number of experts, really doesn’t need an antivirus program. In effect, you are the firewall and antivirus program. You work in this capacity every time you give the apps certain permissions before installing them. If you don’t give these permissions, you don’t get the app. That’s really the problem. Either accept all the permissions that go with the app or forget it. There is no way to select which permissions you want on, for example, Google Play Store.

With all this in mind, I looked at some of the most popular apps and looked at the permissions they require. Now, you know up front that some games expect you to get so addicted that you will eventually buy them or buy some trinkets to get higher scores. These apps will require some sort of net access. Other apps will send you ads or nag screens, but most of us will tolerate this if the free app works well enough. In fact, all the apps I looked at required “full network access”. Most also wanted to “view network connections”, “receive data from the internet”, and “view WiFi connections”. You can expect most games to do this. Games will also want to “modify or delete the contents of your USB storage” and “test access to protected storage”.

One of the most popular games is Subway Surfers. It seems to ask for a lot of permissions so I wondered if I could remove some of the more questionable permissions and still play the game. I first deleted the permission to “read phone status and identity”. I used a program/app called Advanced Permission Manager to do this. You have to enable your phone and tablet to allow installation of apps from other than Play Store. You can do this in your security settings. When I deleted this particular permission, the game still ran fine. However, when I deleted the permission to “download files without notification” (also known as ‘silent upgrade’) the game froze on the opening screen. The same thing happened when I denied permission to “find accounts on the device”. Apparently, hackers have used this game to install malware on smartphones and tablets so, for this reason, it is good to download it and other apps only from first party sites like Play Store.

This does not mean that Play Store has no dangerous apps. It does. It is estimated that 13 to 20% of all apps on Play Store contain malware. Most malware does seem to reside in free apps but not always. The Kaspersky Mobile app costs $4 in the Windows Phone app store. The only problem is that Kaspersky doesn’t make a mobile app, even though it’s logo was used. In fact, this seems to be a recent trend; using real company logos and even product names to trick people (and those who run the app stores) into downloading malware or buying an app that doesn’t do what it claims. But there are certain popular, legitimate apps that seem to want to do a lot of things to your system. Clean Master is supposed to free up space on your device, so you might expect it to ask for more permissions than other apps. However, this aside, should you agree to allow it to “modify system settings”, “take pictures and videos”, and “read sensitive log data”. Log data can contain usernames and passwords. But Clean Master is nothing compared to Google apps such as Google Translate. This app basically wants full control of your device. This includes the permission to “add or remove accounts”, “find accounts on the device”, “read your text messages”, “take pictures and videos”,  and “record audio”. The only popular app that I found to be more aggressive in its desire to control your device was WhatsApp Messenger.

In a paper by Lacoon Mobile Security,  Practical Attacks against Mobile Device Management (MDM) Solutions, researchers found that “surveillance tools surreptitiously planted on a user’s handheld device are able to circumvent common MDM security offerings, such as secure containers.” In its study of 500,000 cellular network users, the researchers found that 1 in 800 had devices that had been turned into spyphones. Last year, Kevin McNamee, Director of Kindsight Security Labs, explained how easy it was to create spyphone software for android devices. Basically, McNamee and his colleagues wrote a code that can be injected into any app available in the Google Play Store. Once the app is downloaded, the user will never even know his device contains the spyware because “it looks and behaves exactly like the original application, there is no evidence that it’s been tampered with.” At the same time the user is playing his or her favorite game, a remote user can track the phone’s location, read texts, emails, take pictures, record video or audio, and monitor anything the user does. “In other words, the hacker now has full remote control of the phone.”

Such spyphone malware is often targeted at companies or governmental organizations. In these cases, the study found that targeted attacks, such as phishing attacks, would be most successful in getting it installed on a device. Once any device on a company network is compromised, the attacker can easily use elevated privileges to bypass any secure container and access sensitive company information.  In fact, the researchers refer to the security of secure containers as “a myth”.  They go on to say that “it is important to recognize that infection is inevitable. As demonstrated throughout this whitepaper, MDMs cannot provide absolute security.” Companies that allow employee access to their networks through mobile devices beware. The ability for apps on an employee’s mobile device to bypass containerization is one reason why InZero Systems opted for hardware-based security that separates a device into two operating systems: an approach which does not give a malware-laden app on an employee’s device any access to sensitive company data.

This said, there is still one basic way to stop some of this spy malware from getting on your smartphone and tablet in the first place. If an app seems to ask for more permissions than it seems to have any practical use for, and, especially, if it asks for permission to control the camera and microphone, it is time to be a little suspicious. Just remember that there is no such thing as a free app. The killer app you download may be, literally, just that.

 

About Steve Mierzejewski

Marketing consultant for InZero Systems, developer of the next generation in hardware-separated security, WorkPlay Technology. I've worked in Poland, Japan, Korea, China, and Afghanistan. I'm a writer, technical editor, and an educator. I also do some work as a test developer for Michigan State University.
This entry was posted in Uncategorized and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s