Symantec warns of a suspicious Android application that appears as 'Snake' but transmits GPS data
Warnings have been made of a malicious version of the classic mobile phone game 'Snake' that is actually a Trojan.
Symantec Security Response said that it found the game in the Android Market, which plays much like the original game, but a satellite icon appears in the top menu bar while the game is running, indicating that GPS data is being acquired.
This was a clue that a Trojan was being downloaded with the game, Symantec said. It then uploads data to a remote server, allowing another person to monitor the location of the phone without the knowledge of the user.
The Trojan has been labelled as AndroidOS.Tapsnake, although in order to receive the GPS coordinates, a second paid-for application called 'GPS Spy' must be installed on another Android device, which the developer describes as an application to track another mobile.
The description reads: "Download and install the free Tap Snake game app from the Market to the phone you want to spy on. Press menu and register the app to enable the service. Use the GPS Spy app with the registered email/key on your own phone to track the location of the other phone. Shows the last 24 hours of trace in 15 minute increments."
Researchers Mario Ballano and Marian Borucki claimed that essentially, AndroidOS.Tapsnake uploads the GPS data every 15 minutes to an application running on Google's free App Engine service. GPS Spy then downloads the data and uses this service to conveniently display it as location points in Google Maps. The person monitoring the compromised phone can even view the date and time of the specific points uploaded by the Trojan.
They said: “Interestingly enough, the developer has published a number of applications that make use of GPS location services, so he or she obviously had some experience with device-tracking technologies. As is true with every Android application, this threat requires a set of rights to be installed in a device, which in this case includes location data.
“However, AndroidOS is designed in such a way that the user is told which APIs an application will access prior to installing it. However, what isn't disclosed is that it will continue to run in the background, even if a user attempts to kill the application.”
On a positive note for users, for the application to really be used maliciously an attacker would need to have access to the phone to install the program. For it to work, an email address and 'key' must be typed into the phone running AndroidOS.Tapsnake. This same registration information must later be typed into the phone running GPS Spy.
Symantec said that this would probably require a dash of social engineering, something like 'Hey, let me show you this cool game', but there are plenty of applications available that do the same thing and disclose this information up front, and do not claim to be something else - the primary reason why it considers this to be a Trojan.
The first malicious program to be classified as a Trojan-SMS for smartphones was detected last week for the Google Android operating system by Kaspersky Labs, while vulnerabilities in the Palm Pre and Android platforms were detailed last week with the ability to snoop on conversations and steal credentials.