Why GPS Location Leakage is not simply a malware problem: Flaws in legitimate apps continue to expose users to real time risks.

Authors: Jinjian Zhai, Tianfang Guo

Nasir al-Wuhayshi had a bounty of 10 million USD issued by the US State Department in October 2014, and was killed in a US drone strike in the Hadhramaut Governorate of Yemen on 12 June 2015.

Explaining the mystery of how al-Wuhayshi got pinned in a vast area of desert land mass, CNN reported : “This was more than just luck. … He got sloppy and moved in a way that he could be tracked. … Classified high tech gear makes the strike possible. Eavesdropping of cell phone and monitoring of social media by the intelligence community is at all time high.

According to CNN, eavesdropping on Nasir al-Wuhayshi’s cellphone disclosed his location, like something out of a 007 film. Mobile apps, especially social media applications, emerge as new sources of location intelligence.

Although this was an fatal example of the leakage of physical GPS metadata, the information was under the control of international law enforcement. You can imagine situations where the circumstances can evolve to be much worse had similar data been under the control of outlaws.

It seems similar privacy leakages aren’t as far off as Yemen. On June 17, Reuters reported large amounts of private data were stolen due to common flaws in application development: “Security researchers have uncovered a flaw in the way thousands of popular mobile applications store data online, leaving users’ personal information, including passwords, addresses, door codes and location data, vulnerable to hackers.

Below is an example of a leaked GPS location from a compromised android app.

com.songguo.hotel is a popular Android hotel booking app from Ctrip.com, one of the biggest online travel services in China. The version we analysed sent GPS locations to Baidu Map service without any user input. The data, accurate to a few meters, was captured en route in plain text.

The plain text of GPS location.

 

The high accuracy location of the user is fetchable by GPS coordinates:

map

 

GPS stealing behavior can be detected by the Trustlook Mobile Security platform and application with the name “StealBy.Socket“.

report_score

 

 

The malicious “StealBy.Socket” behavior in Trustlook Mobile Security app:

 

report_pcap

 

Apps leaking GPS data were discovered as malicious by Trustlook Mobile Security:

app_detect

 

There are ways to avoid leaking GPS location, including disabling location sharing entirely. Sometimes such notification windows are absent, just like the app we studied in this blog. Consumers should rely on Antivirus applications to be sure of privacy protection from not only malware but the also risky behavior of legitimate apps.

Other data leaks- including password, photos, and medical data, will be further investigated and published in the future. Stay tuned…

To read the full report of the sample from the Trustlook Antivirus platform, please contact : support@trustlook.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s