Malicious-suspicious apps...

[RegGuheert]

I recently ran across an application in the market that I *nearly* downloaded, but I stopped short because of what the application was accessing. Specifically, this application was designed to measure the performance of the processor in the phone. When I started to download the application, I noticed that it wanted access to the following:

- Network communication
full internet access

- Your location
coarse (network-based) location

- Phone calls
read phone state and identity

At first blush, it seems that a benchmarking application doesn't need any of these things. Then reading the description and comments, it appears that this tool builds a database of phone performance on the web, which implies that it sends the performance information over the internet. Apparently it identifies the performance by both the phone type and location. But I am somewhat uncomfortable about this. Here are some random questions that arise:

1) What difference does it make where the phone is?
2) Does it know the unique identifier for my phone? If so, how is this information stored and/or secured? Why does it need this?
3) Can it do more than read the phone state? Can it make phone calls? Can it read my contacts?
4) What else can be done to/with the phone given full internet access? Build a gigantic denial-of-service attack?

I'm not naming the application since I doubt it is truly malicious. But this experience did make me think that someone could easily write a useful-to-me program that could be fully functional, but that could, in addition, do malicious things without my knowledge, such as steal all my personal information and send it out to a third party. I also realized that I have not been paying much attention to those lists of things that applications might be able to do, but perhaps I should be!

Am I the only one wearing a tin-foil hat here, or is this a real/known/already-documented issue? If such an application exists or comes into existence, how will we know or find out? How can you prove it? To whom would we report such a thing? ("Flag as inappropriate" seems a little weak in such a case...)

Any (well, almost any!) thoughts on this subject would be appreciated!

[arnodenhond]

While it is possible that this set of permissions could allow malicious activity,
This is also the exact set of permissions required by the AdMob advertising module.
Free apps often include this module to generate some revenue for the developer.

Obviously AdMob would like to know your location to be able to present the most relevant advertising which needs to be downloaded by internet.

My guess would be that if an app truly has malicious intent, it would request some other permissions which are much more powerful than these.

[deserttopping]

For the record, what permissions are the most cause for concern?

[Iceberg]

You hint that the application was about testing phone speed?

- Network communication
full internet access
Test's speed of uploading and downloading via 3g networks/edge/wifi
- Your location
coarse (network-based) location
Test's the speed of how your phone collects the 0's and 1's around you needed for gps
- Phone calls
read phone state and identity

Probably call frequencies and what not.

I really haven't seen one application that seems that it would really do any damage, and there's yet to be a report about it happening.
But just keep being mindful. If you're being a pervert and downloading Japanese babes and one of the permissions is your social security number I'd advise you not too.

and just in case you don't know that was an extreme example.

[RegGuheert]

This is also the exact set of permissions required by the AdMob advertising module.
Free apps often include this module to generate some revenue for the developer.

I'm betting that's what it is in this case. Thanks!

My guess would be that if an app truly has malicious intent, it would request some other permissions which are much more powerful than these.

Agreed. I've looked through what is requested by some more powerful applications, like home replacements. It's pretty specific about what can be done.

It's good to hear that no one has run into or heard of any malicious Android apps out there yet. Unfortunately, I suspect it is simply a matter of time. Hopefully Google has a plan of action in place in case/when some bad applications start to appear.

[Iceberg]

Unfortunately, I suspect it is simply a matter of time. Hopefully Google has a plan of action in place in case/when some bad applications start to appear.

Eh.
Viruses and malicious applications are directed twords big fields.
Example.
In the computer world everyone thinks macs don't get viruses but they are just as able to get viruses as anything else on the planet.
The reason why Microsoft gets them is because it's a big target, and there's more damage to be done to them and business where it is to Apple.

The Iphone is a target, but the tough app market is a good "firewall"
But there was that hack where you get a blank text message that would take control of your phone.
Same with the g1. etc. etc etc

[RegGuheert]

Viruses and malicious applications are directed twords big fields.

Android will be one of the biggest. And my Android phone is more connected than my computers...

[porn]

That weird Rhapsody app in the market right now (not the REAL one that is allegedly coming soon)

is pretty suspicious.

I dunno if its purpose is to phish for rhapsody passwords or what.

but it doesnt even come close to actually doing anything.. and it just seems odd

[extorian]

It really puts me off apps when they need a whole load of permissions I can't see a reason for.

I caught Locale (which I liked as an application) sending personal data to a website called flurry.com and posted about it here: http://androidcommunity.com/forums/f...rry-com-18551/

What I didn't like there was that the app was not up front about doing this. It made no mention in the documentation or on the website that it sent data to flurry.com, not any option to opt out of it. I consider my IMEI number personal information, as it uniquely identifies my phone.

It would be good if developers mention in the description, or link to their website, and clearly state why their apps need certain riskier permissions.