CybersecurityGood apps talking to bad Web sites behind your back

Applications dropped for embedded malware // Source: pace.edu

Almost 9 percent of popular apps downloaded from Google Play interact with Web sites that could compromise users’ security and privacy, according to a study released in December by researchers at the University of California, Riverside. The team is now developing a tool that allows users to evaluate the riskiness of individual apps before downloading them.

UCR reports that as one of the first studies to analyze behind-the-scenes behaviors of good applications, the researchers conducted a large-scale analysis of URLs embedded in 13,500 free android apps downloaded from Google Play. The apps tested were created by reputable developers and downloaded by many people, among them popular social media, shopping, news and entertainment apps.

Although apps connect to a complicated network of Web sites, both to function and generate advertising revenues, Michalis Faloutsos, a computer science professor in UCR’s Bourns College of Engineering, said most users don’t know their private information could compromised.

“We focused on a relatively neglected aspect of security research, which is the potential for good apps to leak personal information through the sites they interact with. A lot of people believe that if an app is popular or available on one of the big app stores then it must be safe, and we suspected that wasn’t the case,” Faloutsos said.

By developing and using a tool called AURA (Android URL Risk Assessor), the team identified more than 250,000 URLs accessed by the 13,500 apps, which they cross-referenced for trustworthiness using VirusTotal, a database of malicious URLs, and Web of Trust (WOT), a popular website rating system. They found that:

• Almost 9 percent of the popular apps interacted with malicious URLs (implicated in distribution of malware).
• 15 percent talked to bad Web sites (with intentions that vary from harming devices, stealing confidential data or annoying users with spam).
• 73 percent talked to low-reputation Web sites (those receiving a Web of Trust rating lower than 60/100).
• 74 percent talked to Web sites containing material that is not suitable for children.

“I think the fact that 9 percent of the good apps we analyzed interacted with at least one Web site that distributes malware is very worrisome,” said Faloutsos, who emphasized that the findings show only that users are potentially exposing themselves to risk, and not that each of these interactions would necessarily result in negative consequences.

While the current study was designed to raise awareness about the risky behavior of good apps, the team plans to make AURA available for developers, researchers, android users, and distributors like Google Play, said Xuetao Wei, assistant professor at the University of Cincinnati, who led the project as a Ph.D. student at UCR. Iulian Neamtiu, associate professor at the New Jersey Institute of Technology, also played a key role during his time at UCR.

“We are currently improving the AURA system to make it more robust and user-friendly, and then we will release it to the public as open source software,” Wei said.

UCR notes that until then, the researchers recommend people limit the number of apps on their phones to those they really need and review new apps before downloading them.

“Reading the comments left by other app users is a good security practice that can help users make more informed decisions about what they put on their smartphones,” Wei said.

The team will present their paper, “Whom Does Your Android App Talk To?” on Dec. 8 at the IEEE GLOBECOM conference in San Diego.