Questionable Android Apps -- SndApps -- Found and Removed from Official Android Market
By Xuxian Jiang, Associate Professor, Department of Computer Science, NC State University
On July 4th, 2011, my research team came across five questionable Android Apps in the official Android Market. These five apps share a common suspicious payload -- SndApps. This payload does not attempt to root
users' phones. Instead, it is lurking in host apps to stealthily upload users' personal information
such as email accounts as well as phone numbers to a remote server without user's awareness.
(NOTE: the hosted apps do not need the related permissions for their normal functionality.)
How it works
The SndApps payload can be started when the infected phone finishs booting or an app is being installed from Android Market.
Once started, SndApps will collect user's personal info including the phone number as well as email addresses and send them
information to a remote server.
Based on our initial analysis, SndApps has a built-in referencing mechanism to
promote other instances of SndApps on the Android Market. Specifically there is a special icon
in the instance of SndApps. When the user clicks this icon, it will lead to a list of other
SndApps instances marked with "FREE" and "No Ads" in their descriptions to attract users for
their downloading and installation.
Follow-ups:
- 07/15/2011: This article goes online.
- 07/14/2011: These five apps have been removed from the official Android Market.
- 07/06/2011: We notified Google about these five questionable apps.
- 07/04/2011: We detected five instances of SndApps on Android Market.
Last modified: July 15th, 2011