How can one deliver spyware to a large number of unsuspecting users? The right answer to that question is – unfortunately – not a unique one, but among the methods is one tried by a company that attempted to convince the developers of a popular Android game to bundle it up with their offering.
According to the claim made by one of the game developers on reddit, they were approached by a company telling them that they would like be partners.
“They apparently ‘help mobile subscribers to gauge which mobile service provider is best for them’,” he says, and that they said their existing application “measures customer experience” by collecting data in the background.
The company in question wanted to embed their application into the Tank Hero game, so that it is automatically downloaded with the next update. This made the developer instantly suspicious, but he wanted to take a look at the application for himself.
And he did. What he discovered was that the app requests a wide spectrum of permissions that can be misused to collect data. If permission is given, the application is able – among other things – to call or SMS phone numbers without the user knowing, detect the GPS coordinates of the device, read and edit SMS and MMS messages stored on the device or SIM card, read contact data and sensitive log data, intercept outgoing phone calls and make itself always run.
Of course, all these permissions would have been asked for when Tank Hero was next updated, but it is likely that many users would give their consent without even thinking about it twice.
The game’s developers say that they would both rather be unemployed than embed spyware in their application, so they refused the offer even though the company said they would receive money for each download.
The worrying thing is that it’s more than probable that there are developers out there who will not have such qualms.