New software catches 'spying' apps

Computer scientists have developed a new software that shows whether an app has accessed private data to spy on the user.

Apps on web-enabled mobile devices can be used to spy on their users, so researchers from the Saarland University in Germany developed the new software to track malicious activity by an app.

Last year at the end of July the Russian software company "Doctor Web" detected several malicious apps in the app store "Google Play", researchers said.

Downloaded on a smartphone, the malware installed - without the permission of the user - additional programmes which sent expensive text messages to premium services.

Although Doctor Web, according to its own statement, informed Google immediately, the malicious apps were still available for download for several days, researchers said.

Doctor Web estimates that in this way up to 25,000 smartphones were used fraudulently.

The new software can discover such malicious apps already in the app store. The software detects pieces of code where the app accesses sensitive data and where data is sent from the mobile device.

If the software detects a connection between such a "source" and such a "sink", it reports that as suspect behaviour.

Researchers demonstrated a malicious source-sink combination with an example.

"Your address book is read; hundreds of instructions later and without your permission an SMS is sent or a website is visited," said Erik Derr, who does research at the Center for IT-Security, Privacy and Accountability (CISPA) of Saarland University.

To identify a functional relation between source and sink, the computer scientists use new methods of information flow analysis.

As input they provide suspicious combinations of accesses on the application programming interface. As the software needs a lot of computational power and storage, it runs on a separate server.

"So far we have tested up to 3,000 apps with it. The software analyses them fast enough that the approach can also be used in practice," Derr said.