Smartphone users need to realise that their mobile phone is less of a phone and more of a mobile computer, in which applications can collect data from other applications installed on the same device. Some, such as browsers, can also access browsing history information from other machines belonging to the same user as well.
Smartphone apps are able to access information that is specific to other applications due to the way applications integrate with each other within the mobile operating system – for instance, a game could access and use the information stored in the address book or could read profile data taken from social connectors such as Facebook, LinkedIn, Twitter and Google+.
In addition to this, carriers (namely, mobile phone companies) also install their own software on the phones, both at the operating system level with personalized interfaces and at the baseband level – essentially, the part that puts the “phone” in “smartphone”.
The baseband has higher levels of access to the smartphone hardware than even the user-visible operating system itself, so any leak or compromise at this level cannot even be detected by security apps running on the smartphone. On an even lower and therefore more privileged level, there are SIM card operating systems, which deal with phone network operations such as registering with a base station and delivering baseband software updates over the air.
Depending on what permissions are granted upon installation, an application might process the accessed information and send it to the developer or a third party. Most of the time, these pieces of information are collected by independent third parties such as ad networks that use the information for pushing targeted advertisements, and, in exchange, pay the developer a specific amount per user.
As these pieces of information are exfiltrated from the “victim’s” device, another third party could just duplicate them as they travel across the carrier’s mobile network and store them for further processing. In this case, the ad network only serves as a vector.
Applications that require permissions related to social networks or access to the device’s sensors (for example the camera, accelerometer, microphone or GPS) are highly likely to collect and report these inputs. We advise users to not install any such applications unless they feel comfortable with this information landing in a third party’s hand.