We received a Phantip this evening about some growing concerns around Mobage, a mobile gaming publisher in the Android Market, who’s games have mysteriously been asking for super user permissions on devices that are rooted. Understandably, there’s cause for alarm given root permissions are typically used for gaining access to features — whether legit or malicious — on an Android device. Just imagine you fire up a casual game of Pocket Frogs and all of a sudden you’re prompted for SU permissions. That’s enough to make anyone paranoid.
After digging around, we’ve found a few responses from Mobage explaining the situation. Apparently, the issue involving app SU requests has little to do with the actual game and more to do with the ad partner Mobage is using to generate revenue from their free apps. According to Mobage, the ad partner’s SDK looks for root on a device and for whatever reason, blocks ads to those devices. Mobage is still unclear as to why an ad agency would want to do this, with speculation involving things like increasing performance for rooted users who use adblocking apps.
It should be noted that our tipster did notice an “extra download” of 15MB after Pocket Frogs asks for SU which is a tad bit sketchy although “security apps” like AVG and Avast didn’t detect a threat.
Mobage did make it clear that they put their top engineer on the case with a fix is already in the works. They hope to have the “offending” apps updated in the Android Market in the coming days and rooted users everywhere can go back to farming for zombies.
While I trust Mobage, the same can’t be said for ad partners who could be doing who-knows-what with the data they phish from your phone. Developers should always be crystal clear with the description of their apps published to the Market and the permissions they request. Malicious apps are an ever growing concern in Android and transparency from developers and publishers are the only way to give some kind of peace of mind. When I download an app, the first thing I look for is how few permissions it asks for. Hope this article helps shed some light on the situation.