NortonLifeLock and researchers from the New York University, Cornell Tech discovered hundreds of creepware apps on the Android Play Store, which Google has since removed. The applications were discovered with a new algorithm called CreepRank, developed by a team of academics.
This research was done last year and it has been now been published online in a paper titled: “The Many Kinds of Creepware Used for Interpersonal Attacks.”
The term creepware refers to mobile apps that don’t possess the full features of a spyware or stalkerware product but they can still be used to stalk, harass, defraud, or threaten another person, directly or indirectly.
The research team says it developed an algorithm named CreepRank that identifies creepware-like behavior inside mobile apps, and then assigns a creep score to each app.
For example, the CreepRank algorithm can identify apps with features that can be abused to extract SMS messages from a device, spoof another user’s identity in IM/SMS chats, launch denial-of-service attacks (SMS/IM bombs, etc.), hide other apps, control access to other apps, track location, and more.
The research team did this by running CreepRank on a sample of anonymized data from apps installed on more than 50 million Android smartphones. This data was provided by NortonLifeLock, and came from real-world devices running the Norton Mobile Security mobile antivirus.
By applying the CreepRank algorithm on app data sets from 2017, 2018, and 2019, academics said they found 1,095 creepware apps, accounting for more than one million installs across real-world devices.
The research team said it notified Google about the 1,095 apps last summer, and the tech giant’s security teams intervened and took down 813 for violating the Play Store’s terms and conditions.
In September 2019, after Google removed the apps and validated the algorithm’s efficiency, NortonLifeLock also announced it was incorporating CreepRank in its mobile antivirus product going forward.