Update: Android gaming app hides Trojan, security vendors warn


Tap Snake could be used by attackers to monitor movements of an Android system
via GPS tracking; Google downplays risk


Computerworld - Security vendors Symantec and F-Secure have issued warnings that Tap Snake,
a free gaming application for Google's Android OS, can be used to track and monitor a user's location.

Tap Snake, an version of a 1970s-era video game called "snake," is available from the Android Market online store.

Though the application appears to users as the original version of the game, it can also be
secretly used as a client for a $4.99 commercial spying application called GPS Spy, both companies
warned in separate advisories this week.

Once installed, a third party who gains access to the Android device can program the game to
secretly report its location at any time to another system running GPS Spy. The Tap Snake
software is designed to continually run in background on an Android-based system.

"GPS Spy downloads the [Tap Snake] data and uses this service to conveniently display it as
location points in Google Maps," Symantec said in its advisory. "This can give a pretty startling
run-down of where someone carrying the phone has been."

The GPS data includes the date and time of a user's location at the time the data was sent.

A potential attacker would need physical access to an Android device in order to enable the game
application's spying capabilities, noted Sean Sullivan, a security researcher with F-Secure.

To enable tracking by GPS Spy, an attacker would need to install the game on a device, and then
register the game by entering an e-mail address and a specific 'key,' he said. This same registration
information must later be typed into the phone running GPS Spy in order to enable tracking.

Though there are similar spy tools for Android, iPhone and other mobile devices, "what's unique
about Tap Snake is that it doesn't declare what it is when you register the game," Sullivan said,
"You put in the e-mail, you put in the keycode it starts to do the spy work," without any notice,
he said.

"There are plenty of applications available that do the same thing and disclose this information up front,
and do not claim to be something else--the primary reason we consider this a Trojan," Symantec noted.

Though the Trojan allows for pretty intrusive tracking, the risk to users is somewhat mitigated because
the program requires the attacker to have physical access to an Android. Even so, users would do well to
password protect their phones, Sullivan said. "If your phone is locked, nobody has access to it.

A Google spokesman downplayed the warnings, saying the concerns relating to the applications were being
overstated. "When installing an application, users see a screen that explains clearly what information and
system resources the application has permission to access, such as a phone's GPS location," the spokesman
said in an e-mailed statement.

"Users must explicitly approve this access in order to continue with the installation, and they may
uninstall applications at any time. They can also view ratings and reviews to help decide which
applications they choose to install. We consistently advise users to only install apps they trust," the spokesman said.


Update_Android_gaming_app_hides_Trojan_security_vendors_warn

www.npadata.com

Free Android App Tap Snake is Actually Malicious, Security Vendors Inform



If you have an Android-powered device and you want to have a bit of fun,
you can play a fun game on your mobile device. There are plenty of games
available for download in the Android Market that are offered free of charge
(I'm assuming you don't want to part with your hard earned money).
The downside is that not all the games the Android Market serves are what they say.

Tap Snake is an app for the Android operating system that claims to be a game,
a Snake clone to be more precise. The app is offered free of charge, but don't
think for a second that by getting the app you will not pay. You pay with your
privacy because Tap Snake is in fact malicious; it is a client for commercial
spying application GPS SPY.
"The Tap Snake game looks like an average "Snake" clone. However, there are two hidden features.
First, the game won't exit. Once installed, it runs in the background forever, and restarts
automatically when you boot the phone. And secondly, every 15 minutes the game secretly reports
the GPS location of the phone to a server," said Mikko Hypponen on behalf of F-Secure,
Finland-based company that specializes in providing antivirus and security software solutions.

The fact that Tap Snake is malicious has also been confirmed by Trend Micro, company that
specializes in providing network antivirus and internet content security software.

"Trend Micro threats analysts Edgardo Diaz and Alvin Jethro Bacani came across a possibly
malicious Android app known as Tap Snake that is circulating in the Android market.
The said app has the ability to send a user's GPS location via HTTP POST the moment
the user accepts the app's end-user license agreement. Even worse, the app cannot be
terminated to prevent it from sending out user data," said Bernadette Irinco, Technical
Communications with Trend Micro.

Pretty much the same warning has been issued by Symantec, company that specializes
in providing antivirus, antispyware, and internet security software solutions,

The malicious app is expected to be removed from the Android Market by Google.
It is expected that Google will use its remote application removal privileges
to remove the app from the devices of Android users who installed it.

Free Android App Tap Snake is Actually Malicious, Security Vendors Inform

www.npadata.com