Security researchers have pointed out that free Android apps, especially poorly vetted ones on Google Play, are connecting to a massive number of ad and tracking sites—without users being any the wiser.
This is happening on the Android platform because while Apple rigorously vets everything that appears in its app store, Google Play is much more open, only excluding apps that are obviously malicious.
Security researchers at Eurecom in France have conducted a massive sweep of free apps, monitoring the sites they connect to unbeknownst to their users.
According to MIT Tech Review, Vigneri and co began by downloading over 2,000 free apps from all 25 categories on the Google Play store. They then launched each app on a Samsung Galaxy SIII running Android version 4.1.2 that was set up to channel all traffic through the team’s server. This recorded all the urls that each app attempted to contact.
Next they compared the urls against a list of known ad-related sites from a database called EasyList and a database of user tracking sites called EasyPrivacy, both compiled for the open source AdBlock Plus project. Finally, they counted the number of matches on each list for every app.
The 2,000 apps in question connected to a whopping 250,000 urls across almost 2,000 top-level domains. Most of these apps were minor offenders, only trying to connect to a handful of ad or tracking sites, but roughly ten percent of the apps studied connected to over 500 different urls. (Unsurprisingly, 9 out of the 10 most frequently contacted ad-related domains are run by Google.) Top offenders include “Music Volume EQ,” which connects to over 2,000 distinct urls, and Eurosport Player, which hooks up with 810 different user-tracking sites.
Thankfully, the researchers are also working on a solution: A new Android app, called “NoSuchApp” that monitors outgoing traffic from a user’s phone, revealing exactly which external sites your apps are attempting to contact. Keep an eye out for NoSuchApp in the Google Play store—this NSA, at least, promises it won’t spy on you.
