Package Tracker ‘Parcels’ Adds Your Device to a Botnet

Popular package tracking app Parcels adds your device to a botnet, possibly by trying to avoid rate limiting when it comes to API usage (via 9to5Mac).

[Prepare for the Holidays With DHL Package Tracking]

Parcels Botnet

With a 4.7-star rating on the App Store, Parcels seems to be a popular choice in the package tracking niche. It’s developed by Pavel Tisunov and free with an optional subscription of US$3.49/year or US$0.99/month.

screenshots of parcels app
Parcels

Guilherme Rambo notes that when you launch the app it immediately starts sending requests to the server, even if you don’t yet have packages registered. The server sends information back about packages from other users. This includes the tracking number, the request headers, the URL for the courier’s API or website, etc.

Essentially, instead of running the work of tracking packages server-side, the app is leveraging the bandwidth, energy and processing power of its users to access courier websites, get the changes to delivery status and send that to other users. This type of behavior can be classified as a botnet, since every device which has this app installed basically becomes a bot, tracking packages for other users of the app, even if the user of the current device hasn’t registered any packages to be tracked.

There are many examples in which the app could be used in a negative manner, like launching DDoS or man-in-the-middle attacks. It also violates App Review Guidelines section 2.4.2 which says that apps can’t run unrelated background processes. It makes me wonder if other package tracking apps do similar practices.

[How to Track Christmas Packages With USPS]

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.