A large-scale analysis of URLs embedded in 13,500 free android apps downloaded from Google Play were carried out by the researchers. Created by reputable developers, the apps tested were downloaded by many people, among which were the news services, popular social networks, shopping, and entertainment apps. Michalis Faloutsos, a computer science professor in UCR’s Bourns College of Engineering, said that most users are not aware that their private information could be compromised, as apps connect to a complex network of websites, both to function and increase advertising revenues. According to Faloutsos, most users are not aware that this is happening and that their personal data can be passed into the hands of others. “We focused on a relatively neglected aspect of security research, which is the potential for good apps to leak personal information through the sites they interact with. A lot of people believe that if an app is popular or available on one of the big app stores then it must be safe, and we suspected that wasn’t the case,” said Faloutsos. The team was able to recognize more than 250,000 URLs accessed by the 13,500 apps by developing and using a tool called AURA (Android URL Risk Assessor), which was then cross-referenced for trustworthiness using VirusTotal, a database of malicious URLs, and Web of Trust (WOT), a popular website rating system.
9% of the popular apps interacted with malicious URLs (implicated in distribution of malware) 15% talked to bad websites (with intentions that vary from harming devices, stealing confidential data or annoying users with spam) 73% talked to low-reputation websites, the researchers found 74% talked to websites containing material that is not suitable for children
“I think the fact that nine percent of the good apps we analysed interacted with at least one website that distributes malware is very worrisome,” Faloutsos concluded. The researchers suggest users review new apps before downloading them and restrict the number of apps on their phones to only those that are actually required. The team is now developing a tool that allows users to evaluate the risk involved in downloading individual apps beforehand. The team will present their findings at the IEEE GLOBECOM conference in San Diego today.