Printed from http://www.electronista.com

Malicious wallpaper app affects millions of Android handsets

updated 10:50 pm EDT, Wed July 28, 2010

Personal data uploaded to Chinese website

A malicious Android Market app has reportedly been downloaded by millions of users, according to mobile security firm Lookout. The app, developed by Jackeey Wallpaper, offers a variety of wallpapers including branded content such as My Little Pony and Star Wars.

Aside from providing backgrounds, the utility quietly collects personal information such as SIM card numbers, text messages, subscriber identification, and voicemail passwords. The data is then sent to www.imnet.us, a site that hails from Shenzhen, China.

The app behavior was discovered as part of Lookout's App Genome Project, an endeavor that aims to study content on the Android and iPhone apps. The firm found that most apps regularly access personal data, while many use third-party code for advertisements or other services.

"This is something everyone should be vigilant about," Lookout CEO John Hering said at the Black Hat security conference in Las Vegas. The executive suggests both Apple and Google actively pursue malicious content to be purged from their respective app portals. [via MobileBeat]



By Electronista Staff
Post tools:

TAGS :

toggle

Comments

  1. chas_m

    Joined:

    +5

    HA HA!

    Okay, no I'm not really going to be that snotty ... j/k Android, we love ya ...

    I do hope this won't affect the iPhone market (heads up: jailbroken iPhones are at a higher risk), and I hope Apple sees this story and takes steps to make sure it doesn't happen here.

    We already saw what happened when other companies ignore and issue then it bites Apple ...

  1. Salty

    Professional Poster

    Joined: Jul 2005

    +10

    The nice part about being open

    The nice part about being open... it makes it far easier for people to sneak in malicious stuff!

  1. dmsimmer

    Fresh-Faced Recruit

    Joined: Feb 2005

    +30

    Motorola Droid X

    No jacket required... but you better wear a condom.

  1. DA360

    Fresh-Faced Recruit

    Joined: Dec 2009

    +10

    Damned if your open, Damned if your closed

    I noticed the whole "Open or Closed" thing seems to be a lose, lose situation. If you stay closed, like Apple, you lose in the fact people complain your "too controlling". If you stay open, like Android, as this article shows you let in malware, viruses, phishing software and it will get to the point where there will need to be a "Norton Antivirus for Android".

    But my personal opinion is I rather the company be considered "too controlling" than have viruses flooding my cell phone.

    Comment buried. Show
  1. IxOsX

    Fresh-Faced Recruit

    Joined: Feb 2009

    -14

    Obvious lots of you don´t know what is open!

    Obvious lots of you don´t know what is open! Open philosophy is the most secure of all because every one (code developers and security analysts) knows what is running.

    For me Android is not a truly open platform. The only openness they have is toward their OS. To be Open, all software and source have to be public. Android App Store software is as close as can be...

    So people! Don't talk about what you don't know.

    I confess that I don't know witch is more secure. My feelings say to me that in this moment iPhone OS without Jailbreak, looks much more secure to me than Android OS. But we never know! Let me just remember you that someone have already created a Light Application to Apple Store that could do other tricks that Apple had not detected. :-)

  1. Fast iBook

    Fresh-Faced Recruit

    Joined: Mar 2003

    +4

    Backgrounds...

    If you need an app for backgrounds, you're using it wrong. Thankfully there are tens of thousands of iPhone backgrounds online, so you never need to waste space, and possibly money, on an app that does really nothing.

    - A

  1. CmdrGampu

    Fresh-Faced Recruit

    Joined: Aug 2009

    -7

    iOS isn't really secure

    I'm not sure we have reason to be smug. Does Apple actually sift through the source code during the approval process? I would guess they don't, which is why that flashlight app with the secret tethering function got through a week ago and Apple had to quickly yank it from the store.

  1. qazwart

    Fresh-Faced Recruit

    Joined: Apr 2001

    +5

    You Don't Need the Source Code

    Apple doesn't have to shift through the source code to catch something like this. They can see what APIs are being accessed and how they're being accessed. They can check to see if the application itself is calling home and what information it is sending.

    Lookout didn't have the source code, they just watched what the app was doing. The iOS APIs also limit what you can do too.

    Of course, the problem on the iPhone is if somehow an app like this did escape, there are few tools for a security firm like Lookout to examine the app themselves.

    Fortunately, both platforms allow the manager to pull viral apps from their customer phones. That is, if these apps came from their stores and not a third party store.

    Comment buried. Show
  1. testudo

    Forum Regular

    Joined: Aug 2001

    -10

    Re: You Don't Need the Source Code

    Apple doesn't have to shift through the source code to catch something like this. They can see what APIs are being accessed and how they're being accessed. They can check to see if the application itself is calling home and what information it is sending.

    No, they can't. All they can do is run the apps to see what it does, and try to reverse engineer the app to see what APIs it calls. But anyone who's good at programming can bypass these if they want.

    And you can only see if they're calling home and what info they are sending if (a) the program calls home during the testing process, and (b) the information is readable during that process. It isn't hard to have the code not call home until a period of time or check to see if you're really on a phone.

    Of course, the problem on the iPhone is if somehow an app like this did escape, there are few tools for a security firm like Lookout to examine the app themselves.

    Somehow implies there aren't a ton of these apps all over the place. Without the tools to examine the apps, how can you be sure half the apps you have aren't sending content back to servers?

    And such an app did recently 'escape'. Do you recall the recent 'flashlight' app that had a backdoor that allowed people to enable tethering on their iPhones? How did Apple miss that?

    Comment buried. Show
  1. testudo

    Forum Regular

    Joined: Aug 2001

    -14

    Only goes to show

    The very first thing Apple needs to do with OS X 10.7 is close down this absurdity of being able to install any program you want. Every piece of software should go through Apple for approval, making sure it follows all UI guidelines (so goodbye MS Office!), uses only approved APIs, doesn't send personal information out over the internet, doesn't hack the system or allow the user to change the UI or perform any task which is against Apple's belief system, and any of the other controls that exist on the app store.

    Or does the fact that you could download an app on your Mac and have it do basically the same things, including grabbing personal and financial files and all the other fun stuff you have in your Users folder.

    But I'm sure no one would ever write, let alone download, such an app for OS X or Windows. Nah, it's only a problem on smart phones!

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

Sponsor

Recent Reviews

Dell AD211 Bluetooth speaker

For all of the high-priced, over-engineered Bluetooth speakers in the electronics market, there is still room for mass-market solution ...

VisionTek 128GB USB Pocket SSD

USB flash drives dealt the death blow to both the floppy and Zip drives. While still faster than either of the old removable media, sp ...

Kodak PixPro SL10 Smart Lens Camera

Smartphone imagery still widely varies. Large Megapixel counts don't make for a good image, and the optics in some devices are lacking ...

Sponsor

toggle

Most Commented

 
toggle

Popular News