Many Free Android Apps Are Starting To Look A Lot Like Malware

The money-go-round between app developers and ad networks is starting to blur the line between many free Android apps and malware. While these legitimate apps aren't stealing passwords, they're still riding roughshod over user privacy by gratuitously sucking up your contact and location information — or worse.

What These Bad Apps Glom Onto

Between last September and March, security vendor Bitdefender analyzed 130,000 popular Android apps on Google Play and found that roughly 13% collected your phone number without explicit notification, 12% stored your location data and 8% sucked up your email address. Included in those numbers are apps that siphoned off one or more of the three.

Many apps don't stop there. Other data they glom onto includes your browsing activity, your contact list, the unique identification number of your device and even your call registry.

These apps took all that information legally. Android apps display their privacy policies in seeking permission to gather personal data, and many developers bank on the fact that most people will just click through to the app.

(See also: Hey! iOS Apps Play Faster And Looser With Your Data Than Android)

All that data gathering typically starts when an app developer download an ad framework provided by more than 400 companies listed on the Ad Network Directory. Such frameworks makes it easy for developers to display ads in the app, and thus to get paid every time someone clicks on them.

Since free apps only make money for developers from such clicks (and, it turns out, the distribution of associated user data), very few pay attention to exactly what kind of information ad frameworks are gathering.

"Because they copy-paste the code, they don't really debug it; they don't really look through it and see what data it collects," Bitdefender researcher Liviu Arsene told me. "I bet they don't even care."

And It Doesn't Stop There

App privacy policies often stake out even more aggressive data-collection goals, presumably to pave the way for future updates to vacuum up more info and further erode user privacy.

Take, for instance, Airpush, the second-largest ad network for Android developers with 40,000 apps. Its privacy policy reads, in part:

[I]n accordance with the permissions you have granted, we may collect your device ID, device make and model, device IP address, mobile web browser type and version, mobile carrier, real-time location information, email address, phone number and a list of the mobile applications on your device.

The policy goes on to explain that Airpush might supply that information to third-party advertisers who are part of its ad platform and third-party vendors, consultants and other service providers. Because the data is available to so many organizations, it's virtually impossible to know who is using your personal data, and how, once it leaves the device.

Obviously, the possibilities for abuse here are legion. Suppose one of those third-party organizations is acquired by an outfit that is, shall we say, less reputable. Or that a third party company's computers are hacked, spilling your data into the hands of cybercriminals.

The Feds Agree: It's A Huge Problem

Federal regulators acknowledge that a huge problem exists. "Mobile technology provides unique privacy challenges," Jon Leibowitz, departing chairman of the Federal Trade Commission, said in February, as reported by The Wall Street Journal. "Some would say it's a sort of Wild West."

The FTC wants the mobile industry to bolster privacy controls by allowing phone users to opt out of being tracked by ad networks. The commission also wants apps to prominently display the kind of data they're collecting, rather than burying it in fine print. Congress is also considering proposals to tighten privacy protections on mobile devices, though it's hard to say how such measures will fare given firm opposition from industry.

In the meantime, here's some free (!!) advice: Scrutinize your free mobile apps as if they're malware ready to wreak havoc on your personal information.