Mobile Threat Monday: Mysterious Android App Emails Your Location to Creepers

Smartphones have brought us wonderful things, such as Snapchat, Flappy Bird, and the ever present fear that someone might be tracking our every move. This week, researchers at Malwarebytes  tipped us off to a malicious Android app that emails your location to an unseen operator. It's scary and it's called Spy.MailGPS.

Before we dive in, I must note that location tracking is a huge issue on all smartphones. Smartphone makers and app developers have come under fire for accidentally exposing users' location, and for harvesting that same information. It's a problem that's not going away, but MailGPS is much scarier.

Every Move You Make
To avoid detection, the MailGPS app is named com.services.Google. This is a particularly clever move, since Google has started including several tools to give the company more control over Android phones. The average user probably doesn't understand what the real apps are called, and would likely ignore or be confused by the appearance of another Google service on their phone.

Once installed, the malicious app sends an email containing a Google Maps link with the latitude and longitude of the victim's phone, presumably to the attacker. Malwarebytes says that the email appears to be triggered by an SMS command, reminiscent of the tools provided by Google and other companies to help locate lost or stolen Android phones.

More frightening is that MailGPS runs in the background, awaiting the SMS command to send the victim's location. That means that the attacker could repeatedly locate the victim, perhaps while homing in on his or her location.

Most Android malware aims to make quick cash from as many victims as possible. That usually means signing people up for premium SMS services, various forms of clickfraud, or some other scam that the victim won't notice right away. The strange thing about MailGPS is that there's no immediate way I can discern that the attacker can make money from it.

That makes me think that it's a form of spyware. These apps are typically sold by shady developers to people who want to spy on their spouses. The apps are typically installed by suspicious individuals on their loved ones' phones without the victims' knowledge. This scenario not only breaks the trust between two individuals, but also the basic protections built in to Android to prevent these kind of apps.

Staying Safe
This is hardly the first time we've seen an app that can spy on your location. A remote access Trojan called AndroRAT has been available online, for free, for some time now, and is even more subtle and dangerous than MailGPS. Unfortunately, Malwarebytes doesn't have a lot of information about where MailGPS came from or who made it. Researchers' best guess is that it may have been posted to third party app stores.

From the looks of it, I believe MailGPS is some kind of spyware, probably installed by someone with direct access to victims' phones or by sending phishing emails linking to the malicious software. The best way to keep someone from installing software on your phone without your knowledge is to lock your device with a passcode. Android devices have long supported pattern locks, and newer ones will even let you unlock your phone with a fingerprint. Also, avoid downloading and installing apps from links, even if they appear to come from a company or someone you trust.

If you received a phone as a gift and are suspicious that it might contain something nasty, start by doing a full system wipe. After the phone is clean, log in using a trusted Google account that you haven't shared with anyone. When it comes time to install new apps on your phone, avoid third party app stores and stick with Google Play.

Lastly, be sure to install and use Android security software. There are several options available, including Malwarebytes' offering and Editors Choice winners Avast and Bitdefender. With these on your device, you'll be making it much harder for nasty software to gain a foothold.