Legitimate apps modified to serve ads and offered on Android Market
When there’s easy money to be had, crooks usually don’t care who will end up losing it – and cyber crooks are no exception to that rule.
Here’s a quite recent example: Kaspersky Lab expert Tim Armstrong has discovered that an Android app developer has effectively used the source code of a legitimate app made by another developer, added to it a Pay-Per-Install library and has been spotted offering it on the Android Market.
The original app is named ElectricSleep and aims to improve the quality of the users’ sleep by waking them during a light phase of their sleep cycle. Unfortunately, the stealing developer decided to keep that name, creating confusion and making the theft easier to spot by the original developer.
The only effective difference one can initially spot between the two apps is that the legitimate one does not ask for permission to access the users’ network-based and GPS location.
An in depth analysis revealed that the aforementioned Pay-Per-Install library is part of a software development kit of AirPush – a company that specializes in pushing ads to end users through apps:
So what’s in it for the stealing developer? According to the company site, he (or she) gets from $6 to $40 for every 1,000 users who see a particular ad.
“While these Pay-Per-Install services are not illegal, they can be intrusive, and stealing apps just to add on advertising code is definitely in violation of the Android developer License agreement,” points out Armstrong, and adds that while the stolen and modified ElectricSleep app has been removed from the Android Market, the stealing developer still retains his account and will surely continue with these dirty tricks.
As always, users are advised to closely check the permissions asked by each app they plan to install and be critical in their final decision.