Rogue Android app steals data while showing pretty pictures

Mobilebeat is reporting that a rogue Android wallpaper app has been collecting personal data and sending it off to a site in China, as discovered by mobile security firm Lookout as part of their App Genome Project.

Lookout found the dodgy wallpaper application as part of the Genome project, where they logged data from more than 100,000 free Android (as well as iPhone) apps to see how they behave. The project uncovered many apps requiring permissions they did not need, and accessing personal data often. It's worth noting that on Android, when you install an application you are prompted to allow an application to have permissions to perform certain sets of actions, whereas on the iPhone, Apple approves anything, so apps can do anything  without notifiying once installed.

Mobilebeat says that the wallpaper application comes from a company called "Jackeey Wallpaper" and was in the Android Market and included "branded wallpaper from My Little Pony and Star Wars." The application allegedly captures your phone number, subscriber identification as well as your voicemail number, but only if they are stored on your phone. Apparently the data is then sent to a website owned by someone in Shenzen, China with the domain name of imnet.us. Lockout says that the application has been downloaded up to 4.6 million times, and that other apps like it exist.

Lookout says that there isn't malicious behaviour coming from the application yet, and that a lot of applications access your personal data frequently. The data was unveiled in a talk by Kevin MaHaffey, chief technology officer at Lookout in a talk at the Black Hat conference in Las Vegas yesterday. MaHaffey said that "Even good apps can be modified to turn bad after a lot of people download it," and that "Users absolutely have to pay attention to what they download. And developers have to be responsible about the data that they collect and how they use it."

John Hering, chief executive of Lookout also said he believes that "both Google and Apple are on top of policing their app stores, particularly when there are known malware problems with apps. But it’s unclear what happens when apps behave as the wallpaper apps do, where it’s not clear why they are doing what they are doing."

Full details of the wallpaper applications are available here, on the Lookout website.

Report a problem with article
Previous Story

Update: HTC Evo to get Android 2.2 August 3rd

Next Story

iPhone 4 launch MIA in New Zealand

24 Comments

Commenting is disabled on this article.

Nobody's ever managed to present a convincing argument that downloading phone apps from an app store is any "safer" than downloading programs for a Windows computer. This sort of thing invalidates any claim of them being trustworthy sources.

The same goes for the open vs closed source argument--stories about malware being slipped in come up on a regular basis.

CoMMo said,
There's no kind of QA dept. that examines the source code of apps before posting them?
Nope. Zero real approval process.

Elliott said,
Nope. Zero real approval process.

Wow, that's just like the two extremes of the application store: Apple and Google. Apple examines apps, but overkills it by maintaining monopolistic control. Google doesn't check them at all.

/sadface

joemagoe said,

Wow, that's just like the two extremes of the application store: Apple and Google. Apple examines apps, but overkills it by maintaining monopolistic control. Google doesn't check them at all.
/sadface

yeah but Apple just checks if the program fits them or not, they are not checking if the App is safe or if it does sent sensitive information home. So basically, Apple's QA is worthless because it only "protects" Apple and not the iPhone users.

Like said in a newsarticle yesterday, 1/4 of the iPhone Apps sent your personal data also back home to the developers...

vacs said,

yeah but Apple just checks if the program fits them or not, they are not checking if the App is safe or if it does sent sensitive information home. So basically, Apple's QA is worthless because it only "protects" Apple and not the iPhone users.

Like said in a newsarticle yesterday, 1/4 of the iPhone Apps sent your personal data also back home to the developers...

did you hear about the flashlight app that someone made that had hidden tethering capabilities?? haha.. so much for CHECKING... any did it get approved anyway? there are like 20K flashlight apps..

vacs said,
yeah but Apple just checks if the program fits them or not, they are not checking if the App is safe or if it does sent sensitive information home. So basically, Apple's QA is worthless because it only "protects" Apple and not the iPhone users.

Like said in a newsarticle yesterday, 1/4 of the iPhone Apps sent your personal data also back home to the developers...

Not really. Apple examines what apps do pretty carefully. There are apps that send back data, but Apple severely limits what a developer can send back (even with user permission). There are some bum reviewers (humans are involved and humans are flawed) so some apps (like the hidden tethering in a flashlight app) can get through, but all-in-all, it's still much more trustworthy than Google's Android Market.

Elliott said,
some apps (like the hidden tethering in a flashlight app) can get through, but all-in-all, it's still much more trustworthy than Google's Android Market.
Calling Apple "trustworthy" is on the verge of laughable

it's really great android is open and let the user do whatever they want. unlike steve jobs' "you do it my way" approach. however, it opens doors for security risks google should address. and they have to sooner or later. I see windows 9x's virus/spyware/malware chaos repeating on this platform. for the average people, they don't know they shouldnt install those crapware that collecting location info, phone logs, etc in the background.

As far as I can see, there's no security risk here. When you install an app through the Android marketplace, it will tell you what permissions it needs before you install, and you can review what things it wants access to. When a "Free Awesome Daily Wallpapers" app is asking for permissions to access your contact details, it should set alarm bells off. I've refused to install many different apps on these grounds.

Ignorance is not an excuse in this case. Android Marketplace will tell you well in advance what risks there are, and if you choose to ignore them, then so be it.

... However, if you do venture out of the relms of the Android Marketplace (something we Android users get the ability to do) and download unverified apps, then the malware is harder to spot, but still, Android will tell you the risks of venturing out of the walled garden before you do it, and if you choose not to heed the warning, then its your problem when things go wrong.

leo221 said,
it's really great android is open and let the user do whatever they want. unlike steve jobs' "you do it my way" approach. however, it opens doors for security risks google should address. and they have to sooner or later. I see windows 9x's virus/spyware/malware chaos repeating on this platform. for the average people, they don't know they shouldnt install those crapware that collecting location info, phone logs, etc in the background.

Atleast there are no porn apps on the iPhone unlike the Android app store.