Those handy Android apps on your smartphone are apparently mining your personal information, according to a new study.
The study, done by researchers at Virginia Tech, is the first to study how apps “talk to one another and trade information,” according to a news release.
Researchers say there are two kinds of threats: malware and “apps that simply allow for collusion and privilege escalation.” They add that in the latter group, they can not measure whether the developer intentionally created security breaches.
They describe a leaking scenario, saying, for example, that a flashlight app could work with a receiver app to reveal information like contacts or location.
The team of researchers looked at more than 100,000 apps from Google Play as well as about 10,000 malware apps over three years.
“Researchers were aware that apps may talk to one another in some way, shape, or form,” said assistant professor Gang Wang. “What this study shows undeniably with real-world evidence over and over again is that app behavior, whether it is intentional or not, can pose a security breach depending on the kinds of apps you have on your phone.”
The researchers say the most leaky apps were the “least utilitarian” such as ringtones and emojis.
Researchers said that among the apps tested, they found “thousands of pairs of apps that could potentially leak sensitive phone or personal information and allow unauthorized apps to gain access to privileged data.”
“App security is a little like the Wild West right now with few regulations,” said Wang. “We hope this paper will be a source for the industry to consider re-examining their software development practices and incorporate safeguards on the front end. While we can’t quantify what the intention is for app developers in the non-malware cases we can at least raise awareness of this security problem with mobile apps for consumers who previously may not have thought much about what they were downloading onto their phones.”
The results of the study, which was funded by the Defense Advanced Research Projects Agency as part of its Automated Program Analysis for Cybersecurity initiative, were presented Monday in Dubai at the Association for Computing Machinery Asia Computer and Communications Security Conference.