This story was written by Keith Dawson for UBM DeusM’s community Web site Develop in the Cloud, sponsored by AT&T. It is archived here for informational purposes only because the Develop in the Cloud site is no more. This material is Copyright 2012 by UBM DeusM.

Virulent Android Adware

Increasingly aggressive Android adware is violating user privacy.

Android has gained the reputation as the most malware-infested smartphone platform. Thanks to new adware, it may be becoming the most privacy-invasive as well.

We have discussed the trend for developers of relying less on advertising to monetize mobile or Web apps, moving instead towards in-app purchases and other transactional strategies. Those who remain with an advertising model, especially on Android, may find that the libraries they bundle from ad networks are increasingly pushing the boundaries of user privacy.

As long as a year ago, researchers were warning (PDF) of the prevalence of adware in apps on the Android platform, and the bad behavior of some of that adware. (More Android apps than iOS apps monetize via advertising, because a larger proportion of the former are free -- 71 percent vs. 30 percent for iOS.) The worst of it employed mechanisms indistinguishable from those used by malware, such as downloading executable code from dynamically updated sites on the Web.

Now a new report out of Trend Micro (PDF), which looks at Android security in general, warns about newly virulent adware making an appearance on the Android platform. (The report conveys the alarming statistic that Android malware rose six-fold in just one quarter, from 30,000 known malicious apps to 175,000 between Q2 and Q3 of 2012.)

CSO Online reports on the adware portion of Trend Micro's findings. The security company singled out two ad networks, AirPush and Leadbolt, as representative of the movement towards more privacy-invasive advertising behavior. The two networks reportedly use information collected from rogue app developers to target ads using channels outside the app bundling their libraries -- for example, via push notifications.

Any information that an app collects from users is fair game, as long as the users are informed of the ends to which it will be put. If an app requested permission to access the user's contact list, and said it would be used to help make advertising more relevant, it would not be OK for the app to sell that information on to ad networks or others. Yet some developers do exactly that. (None of the ones who frequent Develop in the Cloud, I'm sure of it.)

Researchers out of North Carolina State University and the Technical University Darmstadt, in Germany, discovered that some ad libraries incorporate phone numbers, data from call logs, or login information from users' accounts. At the very least such information could be used to identify otherwise anonymous users. At the worst it could facilitate identity theft.

Hackers also know about the data troves stored in adware libraries, and write malware to siphon it off, according to Trend Micro's cyber-security chief as reported by CSO Online. The adware libraries may not be written with security in mind and tend to make juicy targets. They can also be extremely inefficient -- a study (PDF) by researchers at Purdue University and Microsoft found that as much as 75 percent of the energy used by free apps is due to code running in third-party advertising modules.

The upshot? Make sure your mobile apps don't add to Android's malware problem. Find some way other than advertising to monetize them.