Some Clarification…

by


Recently Webroot posted a blog about an app called “London Olympics Widget” which was found in a third party market that may need further clarification.  This app is what we consider a Potentially Unwanted Application (PUA).  PUAs are apps are not considered to be good, nor are they considered malware either.  They are apps that walk a thin line and thus are in a grey area.  The app in question was classified as a PUA because the of the advertisement SDK add-ons it contains.  There are a lot of free apps out there that contain these advertisement SDK add-ons in order to create revenue, and that’s okay.  It’s when these advertisement SDK add-ons are overly aggressive and display behaviors such as creating ad related home screen icons and bookmarks, accessing the contact list, and displaying ads in your notification bar that we call these PUAs.  We detect these annoying apps in order to inform the user of its presence.  Google has recently taken the same stance against these aggressive advertisements and has updated their Ad Policies to warn developers that this type of aggressive advertising will no longer be allowed in the market: Google Play Developer Program Policies

In the case of “London Olympics Widget”, it is a simple app that displays what events are going on in the Olympics on which days.  Nothing wrong with that at all.  The reason we have classified this as a Potentially Unwanted Application is because it is using the Olympics to draw people into installing their apps so they can make money on multiple aggressive advertisement SDK add-ons.  It is the aggressive advertisement SDK add-ons that are requesting permissions to read contacts, look up device ids, and read SMS messages. Why do they want to read your SMS, collect your contacts and blast you with ads?  Probably not to make your mobile experience better.  Permissions are a scary thing, but just because an app has a permission to do something doesn’t necessarily mean it’s malicious.  It’s the code within the app that uses these permissions that makes the determination of good or bad.  Can “London Olympics Widget” read your contacts and read your SMS?  Yes, but that doesn’t mean they are using the data collected in a malicious way.  They are using the data to for advertisement reasons which isn’t considered blatantly malicious, but is considered something you may not want on your device which is why we detect it as a PUA.

As always, make sure you install apps from safe markets, and if it has more permissions than what you think it should, be cautious.  Scanning with Webroot SecureAnywhere Mobile will detect PUAs and malware to make sure users stay ad annoyance free, and safe while using a mobile device.

London Olympic Widget with shortcuts added by aggressive advertisement SDK

Screen shot of app showing Olympic event on August 11th

Ads that popped up in notification bar


Tags:



About the Author

Name: Nathan Collier
Role: Retired ThreatBlog Member


Nathan was a Senior Threat Research Analyst for Webroot, having been with the company since October 2009.  He started has career working on PC malware, but now spends most of his time in the mobile landscape researching malware on Android devices.  Because of his early adaptation to mobile security, Nathan has seen the exponential growth of mobile malware and is highly experienced in protecting Webroot customers from mobile threats. He also enjoys frequently traveling with his flight attendant wife, Megan, and is a competitive endurance mountain bike racer in Colorado.