Security researchers are sending up a flare to warn Google Android users about a video game that can be used to track and monitor their movements.
The application, known as Tap Snake, is a version of a 1970s video game called “Snake.” According to researchers at F-Secure, Tap Snake is a client for a commercial spying application known as GPS Spy.
“The Tap Snake game looks like an average ‘Snake’ clone,” blogged Mikko Hypponen, chief research officer at F-Secure. “However, there are two hidden features. First, the game won’t exit. Once installed, it runs in the background forever, and restarts automatically when you boot the phone. And secondly, every 15 minutes the game secretly reports the GPS location of the phone to a server.”
Once the game is installed, an attacker with physical access to the Android device can program the game to report the device’s location to another system running GPS Spy. While the game is free, GPS Spy costs $4.99, and buyers are advised to install the Tap Snake game on whatever device they want to spy on, Hypponen blogged.
According to Symantec, GPS Spy downloads the data from the device running Tap Snake and displays it as location points in Google Maps.
“For it to work, an email address and ‘key’ must be typed into the phone running AndroidOS.Tapsnake,” Symantec noted. “This same registration information must later be typed into the phone running GPS Spy.”
Like all Android applications, Tap Snake requires that users grant permission for it to do what it does. For that reason, Google is advising users to only install applications they trust.
“When installing an application, users see a screen that explains clearly what information and system resources the application has permission to access, such as a phone’s GPS location,” a Google spokesperson said. “Users must explicitly approve this access in order to continue with the installation, and they may uninstall applications at any time. They can also view ratings and reviews to help decide which applications they choose to install.”