Android Apps Sharing Millions of Users’ Private Data

By Mark Phillips ¦ Blog.TotalAV.com ¦

Android apps are utilized by many in our day-to-day lives, but new research has revealed that they are “secretly colluding” to share data without asking for user consent. This sharing could pilot security breaches, leaving contact and location details, among other private information vulnerable. According to researchers at Virginia Tech University, the apps most at risk are those designed around the personalization of widgets, emojis and ringtones. In a study of over 110,000 Google Play apps (100,206 of which were the most popular), the team found 23,495 colluding pairs of apps.

Once installed, apps can correspond with each other without user consent, and some take advantage of this feature to access personal data. The team also found that other unassuming apps, such as a simple measurement converter or flashlight, can share private information with others installed.
“Apps that don’t have a good reason to ask for extra permissions sometimes don’t bother,” computer scientist Professor and study co-author Gang Wang of VT University told New Scientist. “Instead, they manage to get information through other apps.”

The team believes that app data sharing threats fall into two major categories. A user’s data could be breached using 1) a malware app specifically built for cyberattacks, or using (2) a normal, seemingly unremarkable type of app that merely allows collusion to take place.
As for the latter, it’s difficult to know the app developer’s full intentions, the team commented. So, while the act of collusion is certainly a data security breach, it’s possible that in many cases it was in fact completely unintentional.

VT’s researchers were already aware that apps corresponded with one another in some form, but not quite how or to what extent. The team therefore decided to conduct this analysis, an unprecedented large-scale, systematic study of how Android apps are able to talk and exchange user information.
“What this study shows undeniably with real-world evidence over and over again is that app behaviour, whether it is intentional or not, can pose a security breach depending on the kinds of apps you have on your phone,” said Professor Wang.

The team developed a tool named ‘DIALDroid’ to test and investigate different pairs of apps and their relationships, with the tool’s large inter-app security analysis taking 6,340 hours. In addition to the 110,150 apps studied over a three-year period, the team also analysed 9,994 malware apps from Virus Share, a private group of malware app samples.

“App security is a little like the Wild West right now with few regulations,” co-author Professor Daphne Yao explained, who hopes VT’s study will inform and encourage the industry to re-examine app security and development practices.“We can’t quantify what the intention is for app developers in the non-malware cases,” Yao continued. “But we can at least raise awareness of this security problem with mobile apps for consumers who previously may not have thought much about what they were downloading onto their phones.”