Tap Snake a Trojan Location Logger
Reader Mike Dopp recently pointed me to an app called Tap Snake, which advertises itself as an Android version of the classic game “Snake”. Upon installing you’re advised that the game needs “Network Communication: Full Internet Access” and “Your Location”. On the surface this isn’t too unusual for games and free apps.
Many games will report back to the developer information about the device (screen size, processor speed, operating system version, etc.) so the developer can know who his audience is and cater his apps accordingly. Additionally, many games allow you to “share your high-scores” online — via network communication, of course.
Also, most “free” apps are actually paid for via advertisements. The developer gets paid by the advertisers who, in turn, get to gather information about you, and present you with marketing messages. To help target these ads more efficiently the advertiser uses your geo-location to serve up ads that are more relevant to you — based in part on your location.
That’s where things get sticky.
Tap Snake asks for both of these permission sets prior to installation, so you can “cancel” if you want. As it turns out, according to an article on ReadWriteWeb.com, Tap Snake and GPS Spy work hand-in-hand. When paired with the individual registration code from Tap Snake, GPS Spy can display where the individual is, at 15 minute increments.
Generally, apps will use the resources to which they’ve been granted permission only while said app is in the foreground. This makes sense not only from a user-experience perspective, but from a battery-usage one as well. Some apps, however, need to keep running in the background (GPS plotters, music players, etc.), so Android does have the ability to run background tasks.
That’s where Tap Snake gets mischievous.
Not only does Tap Snake turn on GPS while running, it reportedly also never quits (keeping the location logging running even when not playing the game). But there’s more. Also according to the report, it adds itself to Android’s startup routine, automatically firing up when the device is rebooted.
Now, I’m not trying to black-ball Tap Snake. Rather, this type of app falls within the generally accepted amount of permissions granted to similar apps. Nothing in the Android OS presently warns or protects users from the “mischievous” use (or abuse) of this information. Frankly, what can be done?
What additional security is needed? How could it best be implemented? Does Google need to do anything at all, or is caveat emptor enough?