A team of researchers at North Carolina State University have found that many of the libraries used in free Android applications to display in-application advertisements also pose a threat to privacy, and can be used by attackers to get past Android security. In some cases, the software libraries used by these apps "go a step further by making use of an unsafe mechanism to directly fetch and run code from the Internet, which immediately leads to serious security risks," the researchers wrote in a paper to be presented at the 5th ACM Conference on Security and Privacy in Wireless and Mobile Networks in Tucson on April 17th.

A team led by NC State assistant professor of computer science Dr. Xuxian Jiang examined 100,000 apps from Google Play (formerly known as the Android Market). They found that nearly half of them had libraries that track a user's GPS location—and one in 23 allowed that data to be passed back to the advertiser. In some cases, the NC State team found that libraries also could access a user's call logs, the user's phone number, and a list of other apps on the phone.

While the apps themselves may be harmless, the researchers found that the way they deliver advertising to Android devices poses additional risks. Because the ad libraries receive the same permissions that the user granted to the app itself when it was installed, they could be used to execute malicious code contained in advertisements or other code downloaded after the app is installed at the same permission levels without the user's knowledge.