NC State computer science researchers have identified five applications on Google’s official Android Market that upload users’ personal information to a remote server without notifying the users. Google has been notified and pulled the apps from the market July 14.
The relevant apps carry a hidden payload called “SndApps,” which stealthily upload user information – including email accounts and phone numbers – to a remote server without the user’s permission. Technical overview of SndApps is available here.
The relevant apps went by the titles “Mosquito Repellent – No Ads,” “Whoopee Cushion – No Ads,” “Easy Button – No Ads,” “Flashlight – No Ads” and “Air Horn – No Ads.”
The research team, led by Xuxian Jiang, notified Google about the apps July 6.
Within the past two months, the NC State team also discovered DroidKungFu, GoldDream, Plankton and YZHCSMS, and HippoSMS – as well as variations on DroidKungFu and a data-stealing vulnerability in Android 2.3 (Gingerbread) that was revealed in January.