An experiment conducted by two researchers at a security company found that more than 8,000 users downloaded their sneaky app despite security warnings questioning its safety.
There’s a micro-controversy in the United States because carrier AT&T blocked a new phone from installing apps that aren’t in the Android Market. Users complained that the company unfairly restricted their access to other app sources, but AT&T may have been on to something in light of recent reports about a possible security threat to Android and iPhone devices.
Two researchers conducted an experiment by distributing an app called “Weatherfist” to Android and iPhone users. Weatherfist came in two forms – one a malicious, botnet-building version that wasn’t distributed, and the other a seemingly harmless app that had more than 8,000 downloads. Users were unaware that before the “good” Weatherfist delivered the local weather report, it grabbed their GPS coordinates and telephone contacts, and then sent that information to a server controlled by the researchers. The app was able to access this information despite security warnings about installing apps from “untrusted sources” and an additional warning that listed different permissions requested by the app.
Weatherfist was not distributed in the Apple App Store or the Android Market. Submitting the app to either market would have likely triggered testing and security concerns that would have exposed questionable permission requests. For instance, why would an app dealing with the weather need to access my phone’s contact list? That’s precisely the point. Though Weatherfist didn’t have any malicious code, the fact that it managed to get on so many phones without users questioning the potential threat exposes how unaware people can be to the dangers of smartphone security. Had it been the “bad” version of Weatherfist downloaded, it could have formed a botnet, which is a network of hacked computers used to spam and steal passwords.
The same way people are constantly reminded to be vigilant about what software they install on desktop computers, users must also be mindful of what they put on their phone. Being able to install beta applications or programs unsanctioned by Apple/Google can be a great way to spruce up your phone, but that doesn’t mean you don’t have to be extra cautious. In the absence of gatekeepers, individuals must be extra protective of their private information.