Android tool catches apps silently pumping hundreds of ad, tracking servers red-handed

Security researchers have developed an Android application that's capable of alerting when other apps on a phone or tablet are covertly tracking users and connecting to ad networks.

The team at France's Eurecom and Technicolor Research – explained in a paper published in the Cornell University Library archive that their prototype NoSuchApp application* functions as an on-board proxy: it monitors traffic and compares URLs silently requested by apps to a list of known ad-serving and user-tracking domains.

The aim of the project is to give users a way to be warned of the behavior of their apps and remove "bad actor" apps that might have otherwise gone undetected.

"The lack of oversight in Android Play Store makes it all too easy for end-users to install applications of dubious origin, or those which silently carry out activity that might not be seen favorably by the user," researchers Luigi Vigneri, Jaideep Chandrashekar, Ioannis Pefkianakis and Olivier Heen wrote in the paper.

Bad actors abound

The researchers began by testing 2,146 applications with internet-access permissions from 25 different categories in the Play Store to observe how each would behave on an unrooted Android 4.1.2 device.

They ran the apps through a series of 10,000 scripted user input events, such as screen touches and scrolls. Any network connections made by the apps were then tested against the AdBlock EasyList ad and privacy URL depositories, as well as the VirusTotal and Webutation scanning services. HTTPS traffic was not analyzed.

In total, 1,710 of the tested applications were found to generate network traffic, requesting some 250,000 URLs on 1,985 top-level domains. The study found that some applications would connect to as many as 2,000 separate URLs within minutes of launching, while others generated more than 1,000 HTTP requests.

Of the tested apps, 67 per cent connected to a known ad domain, with each requesting about 40 different URLs, on average. Another 26.8 per cent of the tested apps connected with tracking URLs, in some cases requesting more than 800 URLs per app.

Some 5.6 per cent of the requested URLs showed up as "suspicious" on the VirusTotal scan, while Webutation marked 2.9 per cent of the domains as "malicious."

"The results presented thus far clearly indicate that applications on the Google Play Store often connect to destinations that are not essential for the operation of the app itself," the researchers wrote. "Furthermore, much of this communication is completely hidden from users."

Call in the NSA

With that data in hand, the researchers set out to construct their watchdog app: NoSuchApp (NSA). NSA sets itself up as a local proxy to examine all traffic before it leaves the handset.

With the proxy established, NSA is then able to use the researchers' matching process to check the URLs being accessed. To reduce errors and save on hardware drain, NSA matches apps to sockets and collects multiple requested URLs, only checking them for matches in bundles.

Users are then presented with a picture of what and how frequently those URLs are communicating with their devices and which are known to be associated with ad networks, tracking tools, and possible malware activity that bypasses the proxy.

The researchers hope to eventually flesh out the list of known bad actors and allow users a clearer picture of what each of their Android apps are really doing. One possibility, they suggested, would be to set up a crowdsourced "app reputation system" where individuals can inspect the traffic being generated by the apps they use and tag it as normal, unexpected, or suspicious.

"Such individual signals could be aggregated at a back end and fed back into the application," the research paper explains. "This would enable easy blacklisting of applications (and their traffic) based on what other users have observed and reacted to."

NoSuchApp is currently Android-only, with the researchers noting that Apple's iron-fisted hold on the iOS App Store has the beneficial effect of catching bad behavior prior to release. ®

* Earlier, the researchers linked to a Dropbox-hosted download of the app, but it now seems to have been pulled due to excessive traffic. The developers say they plan to make it publicly available in the Google Play store "in the near future," so keep your eyes peeled for it there.