Symantec warns about Tap Snake Android game

Android

Security software firm Symantec has warned of a seemingly harmless Android gaming app that makes it possible for users' movements to be tracked in real time through their GPS data.

The free Android game Tap Snake is billed as "yet another modification of the Google Android Snake game". However, behind the scenes the app logs the user's GPS coordinates every 15 minutes and uploads them to a server accessible to another paid-for spying app called GPS Spy.

"GPS Spy then downloads the data and uses this service to conveniently display it as location points in Google Maps," the Symantec advisory warns. "This can give a pretty startling run-down of where someone carrying the phone has been."

In its description for GPS Spy, which costs $4.99 to download, maker Maxicom even goes as far to openly instruct users to download Tap Snake to the phone they wish to track, though the download page for Tap Snake itself makes no mention of the app's hidden agenda.

"Download and install the free Tap Snake game from the Market to the phone you want to spy on. Press MENU and register the Snake with the service," Maxicom instructs. "Use the GPS Spy app on your phone with the same email/code to track the location of the other phone. Shows the last 24 hour trace in 15 min increments; data is kept for a week."

According to Symantec, Tap Snake has been downloaded anything from 1,000 to 5,000 times, while GPS Spy has been downloaded 100 to 500 times.

Despite Symantec classing the app as malicious for withholding its hidden features, the majority of consumers who have downloaded Tap Snake should have little to worry about. In order for a phone to be tracked, the attacker would need physical access to the handset in question to copy the code supplied by Maxicom when the app is installed, which then needs to be entered into GPS Spy.

In addition, Android notifies users which features of their handset an installed app wishes to access, theoretically making it simple to spot when an app is not what it seems to be.

The Symantec advisory marks the second time in a week that the safety of Android software has been called into question. Last week, fellow software maker Kaspersky Labs identified an SMS Trojan for the open-source OS that was found sending messages from infected mobiles to premium rate numbers.