mobilesecurity.com [Culver City, CA] There’s an Android app for just about every function you can think of. For example, I have a flashlight app that’s come in very handy a few times. It’s simple and it does its job. However, as I used it more and more, I discovered a few minor annoyances. When I power on the virtual flashlight, if the phone is not on mute, the app makes a shrill ‘power up’ noise. When the app is running, the screen is white except for a rotating ad banner at the top of the screen. That’s not too bad; I’ve become an expert at ignoring those.  But then I noticed a new icon on my device home screen; it was a search icon. I clicked it and it opened a search box, only it wasn’t Google. I played around with it and found it went to a site I didn’t recognise, called search******online.com. If I did a search from here, most of the results led to links for me to buy things. I began to wonder, where did that come from? After some investigation, it turned out that when I installed the flashlight app, it also added this icon to my desktop. Wow, now that’s annoying.

So why is this app determined to annoy me in such a way? There are plenty of other Android apps just like this one. Part of the answer lies in the fact that a vast number of apps are free. So why would a developer invest so much time in creating a product to give away for free? Many free apps are designed to bring in money through in-app purchases, such as unlocking additional features, extra levels, or to advance through a game more quickly. With apps like my flashlight, there’s no such method of taking payments. We all know the often used phrase “There’s nothing for free in this world”, but what is more relevant here, is another saying: “when the product is free, you are the product”. More specifically, your personal information is being sold to advertisers, by the app developers. Developers put ad networks into their free products. These aren’t harmful the way malware is, but they offer advertisers access to customer information, which allows them to deliver ads that are more relevant to you to increase your likelihood of making a purchase. From our research, we see that over 24% of all free apps make money by displaying ads, an increase of 31% from 9 months ago.

How does an app with ad networks find out information about you? The app you installed has permission to access certain data on your device. You allowed it access when you installed the app. Every Android app has a list of permissions, called a manifest, which shows precisely what the app requires access to. It’s there every time you install a new app; you likely pass over it quickly because you want to play the game or try the app you’ve just downloaded. I took a look at the manifest for the flashlight app and was pretty shocked at what it had access to. This flashlight app can take pictures and videos (well, that’s a bit weird), it has network access and can read my phone status and identity (hmm, now I’m a little concerned). Lastly, it has access to my location. Wait, what? Why does a flashlight app need to know where I am?

Most of this access is to deliver information about you to the ad networks so they are better able to target you with relevant advertising. If you’ve ever moved to a new home, you’ll notice a flurry of “Welcome to the neighborhood” promotions and coupons. How do they know you’re new? Possibly because they have a partnership agreement with the post office, cable or other entity that informs them of newcomers. Ad networks work in much the same way.

In our research, we’ve seen significant increases in required permissions. We took a look at all of the free Android gaming apps over the past year and noticed there had been a 50% increase in total permissions required by each app (up from 4 to 6). Moreover, we’ve seen a similar 50% increase in permissions that we believe could be risky, which can range from things like installing desktop shortcuts and browser bookmarks to allowing phone calls and SMS messages to be sent without your explicit consent.

It’s because of this escalation in the use of these more annoying ad networks, that Symantec has launched Norton Spot. Its full name is Norton Spot Ad Network Detector, and what it does is very simple: it scans the apps on your Android device to detect these ad networks. It then lets you know which apps are likely to be the cause of annoying activity on your device. It gives you basic information about behaviors that these apps exhibit so you can make your own decisions on which apps to keep and which to uninstall. Norton Spot tells you which apps contain ad networks exhibiting certain behaviors.

Mobile phone usage has skyrocketed and ads are quickly finding their way onto these devices in every way, shape, and form. Your personal information is up for grabs. Make sure you understand how to protect it.