GPS Tracking Trojan Hidden In Android App

Security firm Symantec has warned of a new Trojan hidden within an Android game, which secretly uploads GPS user location information to a remote server, allowing another person to monitor the location of the phone without the knowledge of the user.

Dubbed AndroidOS.Tapsnake, the game in which the Trojan is hidden is a variation on the classic “snake” video game. According to its description in the Android Market, “This one listens to the taps for its turn directions”.

Location regularly updated

Researchers at Symantec picked up on the Trojan when they noticed that the Android “satellite” icon appeared in the top menu bar whenever the game was running. They discovered that the Tapsnake application was uploading GPS data every 15 minutes to an application running on Google’s free App Engine service.

This data can then be downloaded to a separate Android device, via a paid-for application called “GPS Spy”, which displays the data as location points in Google Maps. The person monitoring the compromised phone can also view the date and time of the specific points uploaded by the Trojan. This can paint a clear picture of where the Tapsnake user has been over the last 24 hours.

“The silver lining here is that for the application to really be used maliciously, an attacker would need to have access to the phone to install the program,” stated the Symantec blog. “For it to work, an email address and ‘key’ must be typed into the phone running AndroidOS.Tapsnake. This same registration information must later be typed into the phone running GPS Spy.”

The researchers explained that this would probably require a fair amount of social engineering – “something like ‘Hey, let me show you this cool game.’ (Think cheating spouses or keeping tabs on children.)” For this reason, they have concluded that it is not a major threat and probably not widespread. However, the fact that the application is disguised as something it’s not classifies it as a Trojan.

“Our advice for users of smartphones is to be careful of what you install and always check if the application you’re installing is asking for rights it doesn’t really need,” said Symantec.

Mobile security

Mobile security is increasingly becoming a priority, with many companies looking for enterprise-grade security and management for their employees’ smartphones. According to a recent survey by the Ponemon Institute, most respondents believe in the importance of anti-virus and anti-malware on mobile devices, as well as encryption, but are concerned about the cost of prevention methods.

Last week, a reporter at the BBC created a smartphone application which spies on the owner of the device, in an attempt to prove how straightforward it is to create malicious software for mobiles. The malware, disguised as a simple noughts and crosses game, hid under the hood gathering contacts, copying text messages, logging the phone’s location and sending it to a specially set up email address.

Meanwhile, BlackBerry maker Research In Motion is at the centre of a mobile security controversy, after governments in United Arab Emirates, Saudi Arabia and India threatened to block the sending of emails, accessing the Internet, and delivering instant messages to RIM’s Blackberry handsets. The level of encryption that RIM provides prevents security services from monitoring the devices, and the governments claim this a security issue.

Sophie Curtis

View Comments

  • We designed and manufacturered small GPS locator for children and pets. I'd like to know if you are interested in distributing our product. Our GPS tracker is very small size(61 x 34 x 12.5mm) and light-weighted(32 gram or 1.1 ounce), easy to use by GSM SMS commands. If you are interested please don't hesitate contact us. We are able to provide customized tracking device according to your need. Thank you very much for your time!

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

3 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

3 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

3 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago