X

Malicious smartphone apps turn your phone into tracking device

Researchers find apps spying on their users available for download in the Android play store.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
2 min read

Researchers from Lookout found malicious apps on the Google Play store.

Nicole Cozma/CNET

Be careful what you download.

Four apps available on the Google Play Store were spying on users in secret, according to research released Friday by Mobile security company Lookout. Running a malicious code that Lookout has dubbed Overseer, the apps could track your latitude and longitude and collect information on who you were emailing when.

"That information is incredibly valuable to an attacker who wants to find out where a person is and who they're talking with," said Kristy Edwards, product manager for security research at Lookout.

One of the apps, called Embassy, functioned as advertised in the Play Store, letting users look up their nation's embassy in foreign cities. In the meantime, it turned users' phones into homing devices and sent out email contact lists to accounts hosted on servers run by Facebook and Amazon. The other apps advertised themselves as news apps but didn't actually work. Nonetheless, they also contained Overseer.

Google has since removed the apps from the Play Store, according to a Lookout spokesperson. Google confirmed that apps' removal but declined further comment.

Edwards said she can't speculate on who created Overseer. She said the malicious software, which hasn't been identified in any other mobile apps so far, uses a novel technique to avoid detection.

Often, malicious software shows its hand by sending data to a random server in a foreign country. The fact that Overseer was sending user information to an account hosted by a Facebook service makes everything look above board.

That's useful for bad guys, because these days, companies are monitoring their employees' work phones for problems just like Overseer. Tricks like these make it hard to see "weird traffic," Edwards said.