More than half of the apps included advertising and one in 337 apps includes "aggressive" and potentially unsafe libraries that download and run code from the Internet.
“Running code downloaded from the Internet is problematic because the code could be anything,” said Xuxian Jiang, an assistant professor of computer science at NC State and co-author of a paper describing the work. “For example, it could potentially launch a root exploit attack to take control of your phone, as demonstrated in a recently discovered piece of Android malware called RootSmart.”
According to the survey, 1 in 2.1 apps - or 48,139 total - came with GPS tracking, which is believed to improve user targeting. 1 in 23.4 apps - or 4,190 total - allowed an advertiser to access a user’s location via GPS.
The researchers said that the libraries are a substantial security risk as they allow hackers to bypass Android security features. “To limit exposure to these risks, we need to isolate ad libraries from apps and make sure they don’t have the same permissions,” Jiang said. “The current model of directly embedding ad libraries in mobile apps does make it convenient for app developers, but also fundamentally introduces privacy and security risks. The best solution would be for Google, Apple and other mobile platform providers to take the lead in providing effective ad-isolation mechanisms.”