While iOS apps could technically leak device IDs, emails and phone numbers, Bitdefender's Botezatu explained, Apple routinely rejects such apps when it reviews them for suitability for its app store.
"Apple has had long-standing, strict policies in place," Jeremy Linden, a security product manager for Lookout, said in an email. "While Google Play has policies regarding ad behavior, they aren't as rigorous as Apple's."
In addition, Apple intensely enforces its policies. "Apps have to be reviewed before they are published," Linden explained. "This makes publishing an iOS app more cumbersome, but does help enforce some of the policies Apple sets."
Apple did not respond to a request for comment.
According to TrendMicro, almost one in four mobile Android apps contains malware or the kind of premium subscription scam that infected Brandt's phone. "Those apps not only exfiltrates your credentials, but [can] send text messages and access websites that you get billed for through your telco provider," Tom Kellermann, vice president of Cyber Security for Trend Micro, said in an interview.
"It's a great way to milk someone," he continued, "because they've downloaded an app that, unbeknownst to them, steals their credentials and contacts lists and forces them to use premium services."
Although the use of aggressive adware is a growing problem in the mobile world, it isn't new. "It's a problem that's been around forever," Dirk Sigurdson, director of engineering for Rapid7's Mobilisafe , said in an interview. "PCs have always had this problem, as well. Adware has always collected information from users to tailor ads for them.
"At least with mobile, you can see what your apps are accessing," he added.
Sign up for Computerworld eNewsletters.