Bitdefender finds cracks in Apple's walled garden

Andrew Brandt is the director of threat research at Blue Coat. He's also the victim of an aggressive advertising mobile app.

A few months ago, the Android enthusiast downloaded a game promoted by Amazon as the free app of the day. "I didn't really think anything of it, but after I ran the game, strange things started happening on my phone," he explained via email.

For example, notifications began appearing for things not installed on his phone. "Then within about 30 minutes of installing, playing, and then putting the phone away, I received a text message confirmation that I had subscribed to some sort of paid SMS service for $5.99 a month," he said.

"Of course, I hadn't subscribed to the service," he said. "In fact, I hadn't even sent an SMS message myself the entire day."

What happened? Brandt had given the app permission to send SMS messages when he installed it -- ostensibly, so he could share high-scores and other content about the game with friends and other players. But the app abused the privilege and sent an SMS message, using a method outside the normal messaging app on the phone to auto-subscribe him to the premium service.

Brandt's case was quickly remedied by his carrier and Amazon immediately pulled the app from its online store. But the problem of mobile apps sticking their binary noses where they ought not to is growing. And according to a study by Bitdefender, it's an affliction significantly affecting both the Android and iOS worlds.

After analyzing more than half a million free apps on both platforms over the last year, Bitdefender found "applications are equally invasive and curious on iOS as on Android, even though one may argue that one of the operating systems is safer."

The study suggests that the "Walled Garden" Apple has erected around its mobile ecosystem may have some cracks in it. "Surprisingly enough, iOS applications matched the ones written for Android," Bogdan Botezatu, a senior e-threat analyst with Bitdefender, said in an email.

"Advertisers' main goal is getting hold of user data regardless of platform, and would often go as far as the platform allows them to go," he said.

For instance, more than 45% of iOS apps contain location-tracking capabilities, compared to about 35% for Android apps, the study noted.

Bitdefender found that 7.69% of Android apps could access contacts stored on a phone, and 18.92% of iOS apps did the same thing.

Although a portion of the Android apps could leak device IDs, email addresses and phone numbers, Apple has plugged those holes in its ecosystem.

About 15% of Android apps may leak device IDs about a handset, the Bitdefender study said, while almost six percent may leak email and more than eight percent may leak phone numbers.

While iOS apps could technically leak device IDs, emails and phone numbers, Bitdefender's Botezatu explained, Apple routinely rejects such apps when it reviews them for suitability for its app store.

"Apple has had long-standing, strict policies in place," Jeremy Linden, a security product manager for Lookout, said in an email. "While Google Play has policies regarding ad behavior, they aren't as rigorous as Apple's."

In addition, Apple intensely enforces its policies. "Apps have to be reviewed before they are published," Linden explained. "This makes publishing an iOS app more cumbersome, but does help enforce some of the policies Apple sets."

Apple did not respond to a request for comment.

According to TrendMicro, almost one in four mobile Android apps contains malware or the kind of premium subscription scam that infected Brandt's phone. "Those apps not only exfiltrates your credentials, but [can] send text messages and access websites that you get billed for through your telco provider," Tom Kellermann, vice president of Cyber Security for Trend Micro, said in an interview.

"It's a great way to milk someone," he continued, "because they've downloaded an app that, unbeknownst to them, steals their credentials and contacts lists and forces them to use premium services."

Although the use of aggressive adware is a growing problem in the mobile world, it isn't new. "It's a problem that's been around forever," Dirk Sigurdson, director of engineering for Rapid7's Mobilisafe , said in an interview. "PCs have always had this problem, as well. Adware has always collected information from users to tailor ads for them.

"At least with mobile, you can see what your apps are accessing," he added.

Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsiosAndroidData Protection | Wirelessoperating systemsBlue Coat Systemsdata protectionbitdefendersmsconsumer electronicssecuritymobile securitysmartphonessoftware

More about Amazon Web ServicesAndrew Corporation (Australia)AppleBlue Coat SystemsGoogleRapid7Trend Micro Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello Jr.

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place