Study Reveals Popular Android Apps Interact with Risky Websites

NJIT computer science professor Iulian Neamtiu helped to create an Android URL Risk Assessor (AURA), to detect risks associated with well-intentioned apps, which contain URLs to malicious and questionable domains.

They’re fast, user-friendly and easy to download.

We’re talking apps: a must-have necessity for anyone seeking enhanced functionality, organization and connectivity on the go as we move full speed ahead into the mobile-first era.

Reportedly, consumers spend a whopping 85 percent of time on smartphones in apps. In 2015, it was announced that the time spent using mobile apps by the average U.S. consumer has now exceeded that of TV; consumers are now spending 198 minutes per day inside apps compared to 168 minutes on TV.

There’s no denying we’re a freewheeling, tap-and-swipe culture with a growing dependency on the conveniences of mobile computing—there are 1.4 billion active Android device users worldwide with access to more than 1.6 million Android apps available in the Google Play Store—but could your treasured shopping, news, gaming and media apps be secretly sharing your confidential information with malicious websites?

APPsolutely!

Almost 9 percent of popular apps downloaded from Google Play interact with websites that could compromise users' security and privacy, according to a large-scale analysis conducted by professors Iulian Neamtiu (NJIT), Michalis Faloutsos (University of California, Riverside) and Xuetao Wei (University of Cincinnati).

The team developed a systematic and comprehensive tool called AURA (Android URL Risk Assessor), to focus on a lesser-studied security aspect of apps, which uses both static (bytecode) analysis and dynamic (execution) analysis.

They identified more than 250,000 URLs accessed by 13,500 Android apps, which they cross-referenced for trustworthiness using VirusTotal, a database of malicious URLs and Web of Trust, a popular website rating system.

“We found that 1,187 (8.8 percent) of the good apps communicate with malicious websites, 15 percent of the good apps communicate with bad websites and 74 percent of the apps talk to websites containing material not suitable for children,” reveals Neamtiu. “Interestingly, we found that not all URLs that bad apps connect to are bad as well, because many malicious apps are created by injecting a malware veneer into a benign app.”

Here, Neamtiu further discusses the findings of his research, explains good apps versus bad apps, exposes how websites and apps intermingle to phish your personal information and offers tips to help keep you protected.

Why do apps connect to websites?

It is impractical to store large volumes of data that change all the time on a smartphone. Instead, the smartphone connects to a server to retrieve this information. That is why Google Maps connects to Google’s servers to retrieve up-to-date information about traffic and road closures. Similarly, an app such as Yelp has to connect to Yelp’s servers to get a listing of nearby restaurants, or connect to a restaurant's website to view the menu.

What danger does this pose to end-users?

When an app connects to a website, it sends data to and receives data from, the website. Sending data has risks such as loss of privacy. An example of this is when an app leaks information stored on the phone—from the list of contacts to the user’s emails or photos. Receiving data has risks such as downloading viruses or executing malicious code.

In what ways do websites try to phish personal information from end-users?

1. Offer empty “big reward” promises to entice you to click on links, install apps or provide information in exchange for a reward, gift certificate or coupon.

2. Promise you access to free adult content.

3. Display intrusive advertisements that interfere with your ability to use the phone with the hope that you will eventually get tired of the intrusive ad and click on it.

4. Present fake sites and manufactured webpages that look very similar to a legitimate webpage—the front page of The New York Times or Bank of America—to fool you into providing login credentials, such as your username and password.

5. Add malicious content to websites. For example, on a restaurant website, an attacker might add a small widget to ask users for a credit card in order to secure a reservation, whereas the original website did not require that information.

How did you use AURA to conduct your research?

AURA analyzes Android apps using both a static analysis approach (looking for URLs website addresses embedded into application code) and a dynamic analysis approach (running the app and observing the URLs the app accesses). For our paper, we ran AURA’s static analysis on 13,500 popular free Android apps; we call them good apps and 1,260 malicious Android apps; we call them bad apps. We also ran AURA’s dynamic analysis on a small subset of the aforementioned apps, but static analysis was much more effective at discovering which URLs apps connect to. In all, good apps connect to 254,022 URLs and bad apps connect to 19,510 URLs.We then proceeded to characterize the URLs by performing a “background check” on each of them.

What makes an app good or bad?

We define good apps as apps whose purpose is not to intentionally subvert user security and privacy, while bad apps have been specifically designed with malicious intent. Nevertheless, good apps can do “bad things” for a variety of reasons: software bugs, or most commonly, displaying advertisements that lead to bad actions or bad websites.

If good apps interact with questionable websites, shouldn’t the developer be held responsible?

The app developer has little control over which ads are displayed since ads are served by third-party companies and oftentimes based on a user’s location. When the user clicks on these ads, the host app has de facto lost control.

Why was your research solely focused on apps downloaded using an Android device? Why not include iOS devices as well?

Android is the dominant platform worldwide, with about 80 percent of the global smartphone market share.

Android’s operating system is an open-source platform (Apple’s iOS is closed-source). Does that have any bearing on why apps are able to leak a user’s private information?

No. In fact, an open platform is arguably more secure because it allows users, developers and researchers to study what kind of private information is collected, and how this information is manipulated or potentially leaked.

Would users be better off only buying apps that carry a price tag?

One way to avoid advertisements is to use the paid or premium versions of apps. That, however, carries its own risks, since not all paid apps are legitimate.

How do you envision AURA being used once it hits the market?

AURA could be used as an advisory stand-alone tool, where users submit the apps of interest, and receive an assessment. AURA could also enhance the information presented to a user prior to installing an app. The Google Play market information panel could include AURA’s assessment as a part of the profile of the app as a more refined explanation of the Internet Access permission. AURA could also be used as a filter before the app is allowed to enter Google Play. The market owner, such as Google, Samsung or Amazon, could force developers to evaluate their apps with AURA, and allow apps on the market only if they meet certain requirements.

What can end-users do now to safeguard their information when downloading apps?

Only download and install apps from a reputable store or app marketplace, such as Google Play or Apple’s App Store. The apps are vetted before being posted there, and the marketplaces are constantly patrolled to find issues in already-posted apps. Also, don’t click on ads, don’t install apps that you don’t need and remember to remove apps you’re no longer using.

By Shydale James
sjames@njit.edu