Aug 17, 2010 15:07 GMT  ·  By

Security researchers have identified a mobile spyware application, which tracks users' GPS location, being advertised and distributed on the Android Market as a game.

The rogue application is called "Tap Snake" and according to its description, its supposed to be "Yet another modification of the Google Android Snake game" that "listens to the taps for its turn directions."

The app functions pretty much as any snake-type game, but a service installed in the background captures GPS location data and uploads it to a remote server.

Apparently, Tap Snake is only the client component, which is supposed to be installed on the victim's phone in order for an attacker to track it via another Android application called "GPS Spy".

"Essentially, AndroidOS.Tapsnake uploads the GPS data every 15 minutes to an application running on Google’s free App Engine service. "GPS Spy then downloads the data and uses this service to conveniently display it as location points in Google Maps. This can give a pretty startling run-down of where someone carrying the phone has been," security researchers from Symantec, explain.

Another interesting aspect of this threat is that even if the game is killed, the service remains running in the background and starts each time the device reboots, continuously feeding GPS information to the attacker.

The GPS Spy application costs $4.99 and, according to security experts from F-Secure, it was created by a developer going by the online handle of "Maxicom."

Installing Tap Snake requires the attacker to have access to the victim's phone, at least for a limited amount of time. An unique key is inputted during the process, which must later be used inside GPS Spy.

There are very few legal uses for such software, one of them being parental monitoring. However, previous examples have shown that most of the times these programs are used by jealous individuals to track their partners; in which case, obtaining access to the target phone is not a big problem.

Video of Tap Snake in action (via F-Secure):