According to Symantec, a game called Tap Snake – a snake clone that I was unable to find in the Android market – poses as an innocent game, but beneath its slinky apple-eating core is a trojan that tracks your GPS coordinates (along with the dates and times you were at those locations) and can transmit them to another device that has an app called GPS Spy installed – currently $4.99 in the Android market.
The funny thing here is that Symantec admits there are other apps that knowingly report to GPS Spy in the Android market (and that similar apps like this exist in the iOS app stores), but this particular application is considered a trojan by their security team due to the fact that it hides this functionality. How does it work? The person who knows how to “unlock” this functionality would “register” the game on the actual device with an email address (for which to send the coordinates) and the “code” itself.
It sounds scary at first, but this would require the “hacker” (who wouldn’t need to do much outside of asking for your phone to “install a cool snake game he found”) actually have physical access to your device and enough time to install it. However you allow people (especially strangers) to use your device would ultimately determine how safe you are: I personally have an application locker installed to keep anyone without my unique password from accessing certain areas of my phone, including settings (enabling non-trusted apps), the file manager, and the Android market (as well as other sensitive areas such as call logs, text messages, and emails).
They’d be able to bypass all of that if you don’t lock your browser, though, but if someone you don’t trust is using your phone you’re more than likely already watching them to make sure they aren’t doing anything malicious. Enough about my security OCD, though, because Google’s considering this a non-issue by downplaying it as a “true” trojan. Symantec is right in asking users to take caution due to the app’s failure to report its hidden features, but as Google states, the permissions granted to an app are clearly stated before you go through with hitting that install button.
As I write this report, the app is no longer in the Android market (at least for my device), but if you’re feeling unsafe, be sure to uninstall it from your device and be more careful with what you download from now on.