Will mobile apps become spam magnets?

The average number of Android apps per developer was just 3.9, but there were 32 developers who launched more than 100 apps.

Spammers never seem to miss an opportunity to spread their junk and create headaches for spam fighters. Their latest target, smartphone applications, must have many orgaznizations on edge as the popularity of these devices, especially among upper echelon executives, continues to grow. Top brass are very enticing targets for spammers phishing for executives who frequently have access to the kind of sensitive information junko artists crave.

An early victim of spammer app attacks appears to be smartphones running Google’s mobile operating system, Android. The phones have proven to be quite popular. Google recently announced that its partners were selling 60,000 units a day. With sales like that, it’s not surprising that the store selling applications for the device, Android Market, already has some 30,000 free and for-sale apps in its library.  Although Google refuses to break out the free-to-paid ratio in the store, others are not so reticent. AndroLib, a combination app retailer and numbers shop, estimates that 61 percent of the programs are free and 39 percent paid.

What’s more important, though, especially for email administrators and other spam fighters, is the claim that 10,000 of those applications are junk released by spammers. Granted, that number is coming from a company, AppBrain, that’s pushing a service that includes filtering spam applications from search results of the Android Market, but if it’s accurate, it’s disturbing news indeed.

AppBrain used a two part methodology to identify suspected spammers. First, it identified all the developers who produced Android apps. It found that the average number of apps produced by a developer was 3.9, but a small number of developers, 32, had produced more than 100 apps each. “Because it’s so easy to launch apps on Android, some developers flood the market with lots of nearly identical apps which have little functionality,” the company observed in its blog.

After analyzing the developers, AppBrain studied the user ratings given the apps they produced. Programs that received “bad” or received very few ratings were deemed spammers. By those measures, 359 developers produced 10,000 spam apps.

At this point, it appears spammers in the Android market are just out to make a quick buck from consumers, but the fact that so much junk can enter the market suggests that it’s only a matter of time before apps appear with more nefarious goals. Some apps now are nothing more than refers to Web sites. It’s not a very far leap from there to using apps to send users to phishing holes where sensitive information can be filched from them or malware pushed to their phones.

“Smart phones are essentially becoming regular computers,” maintained Vinod Ganapathy, an assistant professor of computer science in Rutgers’ School of Arts and Sciences. “They run the same class of operating systems as desktop and laptop computers, so they are just as vulnerable to attack by malicious software, or ‘malware.’”

Ganapathy, with computer science professor Liviu Iftode and three students, recently demonstrated how a rootkit could be installed on a smartphone. What would make a rootkit particularly pernicious on a smartphone is there are presently no tools to detect them. Because rootkits reside in the bowels of a computer’s operating system, they’re very difficult to detect and terminate. On the desktop, virtual machine monitors can be used to detect a rootkit. Smartphones, though, lack the muscle to run that kind of software.

A rootkit planted on a smartphone could be a gold mine for snoops. For example, in their experiments, the researchers sent a text message to an infected phone that silently turned on its speakerphone and placed a call to a phone number. The stunt could be very valuable for evesdropping on meetings or sensitive conversations.

Other tricks performed by the rootkit included revealing a phone’s location through its built-in GPS function after receiving a text message to do so and turning on power hungry features such as Bluetooth and GPS to quickly drain the phone’s battery.

In their experiment, the researchers did not assess the vulnerability of specific smartphones. In fact, they didn’t use a mainstream smartphone in their endeavors at all but a phone used primarily by software developers. In addition, their rootkit was directly injected into the phone, not placed through an exploited vulnerability, which is the typical route taken by a malware infection.

“What we’re doing today is raising a warning flag,”” Iftode said. “We’re showing that people with general computer proficiency can create rootkit malware for smart phones. The next step is to work on defenses.”