Beware: Free Apps Might Prove Costly

Research by an IEEE Fellow warns of malware on the prowl

17 February 2012

You might want to think twice the next time you download a free app to your smartphone. That app could be riddled with malware able to steal information stored on your phone, according to IEEE Fellow Jeffrey Voas. It pays to be extra cautious now, Voas says, because mobile hacking is on the rise, with free apps possibly the most popular tool for gaining access.

Recent research by Voas, a computer scientist at the National Institute of Standards and Technology in Gaithersburg, Md., and his team of researchers found malware in more than 2000 free smartphone apps. The malware can infiltrate your phone’s operating system and cause all kinds of trouble, including stealing personal data.

“Of all the free mobile applications we researched, about 1 in 100 visibly contained malware—and that doesn’t even account for the ones where the malware is so hidden it’s impossible to spot,” Voas says. “The number of malware-contaminated apps is growing by the day, and with most of the apps offering good functionality for free, it’s easy to be victimized.”

Voas used a variety of detection tools—some commercial and others home-grown—which scan an app’s source code and binaries for malware. He and his coresearchers scanned about 280 000 free Android apps. Voas says he was not surprised by what they found. “I expected we would find malware in around 1 percent of the apps.” he says. “But we might have missed a lot because the detection tools we have access to need more work.”

So what can you do to protect yourself against malware? Unfortunately, very little, Voas says. But he does recommend caution.

First, download free apps only from sources you trust. “The person who wrote your app could wind up acting as your new, unauthorized system administrator of your phone,” he says. He or she can “take total control of your phone, including your GPS location, wireless connection, microphone, camera, and address lists. All your e-mail could be accessible.”

Another way to protect yourself is to pay careful attention to the access rights being requested by an app. When users download apps, they often must agree to give the app access to various features, such as GPS location. That can be helpful—and necessary—for legitimate apps such as Yelp, Google Maps, and other location-based services. But ask yourself if the access being requested makes sense.

“We looked at a variety of ways in which apps behave strangely in the context of their advertised functionality,” he says. “Most of our focus was on apps that ask for permissions that are unnecessary. For example, why would a simple game, like tic-tac-toe, need Internet access or access to the camera, and why would it also wish to send e-mail? Clearly, there is more going on here than just a fun game.”

Smartphone users, in particular, should remain vigilant. “Wherever the ‘action’ is, that’s where the hackers will be,” he says. And right now, the action is in smartphones.

So the next time you see a free app, heed Voas’s warning: “Remember that ‘free’ isn’t necessarily free. All it takes is two or three seconds for malicious apps to access the information stored on your phone and transmit it anywhere.”

IEEE membership offers a wide range of benefits and opportunities for those who share a common interest in technology. If you are not already a member, consider joining IEEE and becoming part of a worldwide network of more than 400,000 students and professionals.

Learn More