New suspicious apps, including a third party market and a chat platform, collect data from smart devices and send it to remote servers in plain text. One of these apps has already been downloaded by between 10 million and 50 million users from the official Play Store.
Mobogenie, an application that manages phone apps, pictures and videos, sends a list of all applications installed on the device to remote servers. Although the action is justified by the profile of the app, the fact that it sends all this data in clear text is not only intrusive, but also infringing on the security guidelines of communications over Wi-Fi.
Guanxi.me – a Chinese social application, also on Google Play, reads the address book and sends it to a remote server. It does so only after you sign in and accept to have them connect you to the contacts in your address book. Once you agree, they send your address book in clear text to their servers. Previous versions would send the contact list without users’ permission.
Atop of a confusing language, the two consecutive messages have the Cancel/Agree (Confirm) buttons switched as if to make sure users authorize Guanxi to synchronize their account with their contacts’ and thus allow the app to send data to the developer’s servers.
Such behavior would help third party market developers spot trends and make their app more attractive for end users and promote certain applications more aggressively. But sending data in clear text or storing user profiles on unsecured servers could expose the user info to scammers. Plus this data might end up stolen or sold to spammers and used for social engineering approaches.
Android users are advised to exercise extreme caution when installing apps and to thoroughly check the app requirements. Installing a mobile security solution such as Bitdefender Mobile Security, which detects virulent adware, helps users keep their data secured. Bitdefender also recommends Clueful for Android, a free app that offers an expert opinion on how apps on your handset treat your privacy.
This article is based on the technical information provided courtesy of Bitdefender Android Team.
Note: All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.