Symantec has positively identified a stealth trojan hidden in a Tapsnake video game app for Android smartphones.
The classic title – which appears innocent enough – is described as yet another iteration of a snake game which responds to taps for turn directions.
However, the app activates Android’s “satellite” icon in the top menu bar while the game is running, indicating the definite acquisition of GPS data.
“What was requesting this data? Well, it was a Trojan included with the game, which then uploads data to a remote server, allowing another person to monitor the location of the phone without the knowledge of the user,” Symantec confirmed in an official security bulletin.
“[But] in order to receive the GPS coordinates, a second, paid-for application called ‘GPS Spy’ must be installed on another Android device. In this case, the developer describes it as an application to track another mobile.”
According to Symantec, AndroidOS.Tapsnake uploads GPS data every 15 minutes to a utility running on Google’s free App Engine service.
GPS Spy then downloads the data and uses the service to conveniently display it as location points in Google Maps.
As such, individuals monitoring compromised phones can even view the date and time of the specific points uploaded by the Trojan.
“The silver lining here is that for the application to really be used maliciously, an attacker would need to have access to the phone to install the program. [And] for it to work, an email address and ‘key’ must be typed into the phone running AndroidOS.Tapsnake,” the security company noted.
“This same registration information must [then] be typed into the phone running GPS Spy. [So, while] disconcerting, this is not a major threat and it’s probably not widespread, but it [does] show how new mobile threats are evolving and emerging.”