Want to spy? The risk of applications
Spyware or legitimate monitoring application? You decide. In their latest blog, the Zscaler ThreatLabZ research team discuss a ‘legitimate’ app that can be purchased in Google Play known as SMS Tracker. Now, it’s legitimate as it advertises exactly what it does, but based on how this same application is packaged and distributed in other markets, some audiences may have less altruistic goals with this same application. The app also illustrates the powerful access permissions that an application can gain so long as the end user agrees to it, either explicitly or otherwise. By Viral Gandhi.
By Viral Gandhi
Details about the application:
Name: SMS Tracker.
As per the description on the application’s Google Play page, the application is able to do the following:
• SMS Tracking – Intercepts text messages. Read all inbound and outbound text messages. Details include time and date, phone number, contact name and location of the target phone. Complete Text message tracking and logging.
• MMS tracking - Intercepts MMS multimedia messages. Read and view all inbound and outbound MMS messages. See what photos are sent to and from the target phone. Details include photo, time and date, phone number, contact name and location of the target phone.
• Browser Tracking – monitors all web browser activity on the target phone. Know which websites were visited, which pages were viewed and when.
• GPS Tracking – Logs GPS location information which can later be viewed on a map. Know when and where the phone was located at all times. Breadcrumbs to record location information allowing parents to locate their children at frequent intervals. GPS logging occurs at a user defined rate (default interval is 5 minutes). Remote GPS logging and viewing give you the ability to see the location of your child’s phone, from any web browser. The bread crumb trail offers powerful GPS Tracking.
• Call Logging – Monitors all inbound, outbound and missed calls. Identifies the phone number, contact name, call duration, and location of the phone for every call.
• If you want to know where your kids are, just send them a text message. The location of the phone is.
• Recorded every time it sends or receives a text message.
• Tracking of System Events, including Device Powered On/Off, Device Attached / Removed to/from the charger, Apps installed/removed/updated.
• Silently monitor all inbound and outbound SMS messages.
How the app can be used?
First you need to download the application and install it on the device on which you want to spy. After installing an application you need to register it. Next, you need to go to http://smstracker.com, where you will be asked for your login name and password, which was registered at a time of installing the application.
This screenshot shows the dashboard after login.
This screenshot shows the page where you can see logging from the device. It covers SMS, device information, call logs, network traffic, location details, etc.
This same application could also serve generic template for other spyware projects by being wrapped with other code to provide the core functionality needed to create another malicious app. This type of app clearly shows the powerful level of access that can be granted to Android apps, so long as users grant permission. An app can access SMS, call logs, network traffic, hardware details, screen details etc. Always carefully read the permissions requested by an application before installing it on your device.
The vendor is promoting this application as a tool for monitoring the mobile activities of your children. However, this same app would be a very effective tool for spying on someone once installed on their phone. You just need to install the app on the device which you want to spy and you are done. All the information about the device and all call and SMS logs can then be remotely monitored.
Moreover, all of the user's private data is stored on the vendor's server. What guarantees are in place that the private data will remain private? In the increasingly common enterprise world of “Bring Your Own Device” (BYOD), such applications could be leveraged to expose corporate contact lists, email, browsing information and collect private data from corporate apps in the workplace. Enterprises often block access to 'non-official' app stores to prevent the installation of such apps, but this illustrates that such a restriction is no guarantee that spyware can't be installed from an official source.
Virustotal scan results
The application available from the vendor site (smstracker.com): https://www.virustotal.com/en/file/21aa6c6652287413f07ddfbcadea84441a500ee12816dfe4beed913e4a0fa636/analysis/
The Google Play store’s version: https://www.virustotal.com/en/file/a3b40fa9fea9600b55d4d07fd4f0358ee74e6924c342c5857c2a5311f7a11ed3/analysis/
Interestingly, despite virtually the same functionality, far fewer AV vendors flag the Google Play version as malicious.
About the author
Zscaler ThreatLabZ is the global security research team for Zscaler. Leveraging an aggregate view of billions of daily web transaction, from millions of users across the globe, Zscaler ThreatLabZ identifies new and emerging threats as they occur, and deploys protections across the Zscaler Security Cloud in real time to protect you from advanced threats.
About the company
Zscaler is transforming enterprise security with the world’s largest Security Cloud built from the ground up to safely enable users doing business beyond the corporate network. Zscaler’s Security Cloud processes over 12 billion transactions a day with near-zero latency to instantly secure over 12 million users in 180 countries, with no hardware or software required. More than 4,500 global enterprises are using Zscaler today to simplify their IT operations, consolidate point security products, and securely enable their business for mobility, cloud and social media.
Appliance-based network security solutions were designed to protect static corporate networks, and routing mobile and remote traffic through these appliances often slows traffic to an extent that negatively impacts the user experience. Zscaler’s Security Cloud acts as a checkpost in the cloud, scanning all incoming and outgoing traffic between any device, anywhere in the world, and the Internet to identify and block potential threats.
Zscaler’s Security Cloud solutions are used by more than 4,500 global enterprises to secure over 12 million users worldwide. Their current customers are large global industry leaders that are trying to solve the difficult challenges of securing users beyond their corporate network. Their largest customer is National Health Services (NHS) with 1.6 million users. Other customers include British American Tobacco (BAT), which uses Zscaler to secure users in over 180 countries, as well as Society General, RalCorp, Pitney Bowes, and VMware. We also offer Zscaler through relationships with Internet Service Providers such as BT, Verizon, Telefonica and Swisscom.