Android App Steals and Sends User Data to China

| News

A popular third-party wallpaper app for Android-based smartphones apparently collects user’s personal data and uploads it to servers in China without permission. The news was revealed by the mobile security company Lookout at the Black Hat Conference in Las Vegas, according to VentureBeat.

The wallpaper app comes from Jackeey Wallpaper and has been downloaded somewhere between 1.1 million and 4.6 million times. It collects user’s voicemail password, SIM card number and subscriber ID, and sends the information off to imnet.us in Shenzhen China.

Third-party apps don’t go through any screening process before appearing on the Android Market, which is Google’s version of Apple’s iPhone App Store. In contrast, apps must go through Apple’s screening and approval process before being distributed through the App Store.

Google monitors the apps that appear on its Android Market store, although in a more reactive mode when compared to Apple’s App Store approval process.

The issue with Jackeey Wallpaper’s Android app will no doubt serve as an example for Apple policy supporters showing why the company’s strict review policies are necessary.

Google has not yet responded to TMO’s request for a comment.

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

Comments

Khaled

Imagine headlines if it was an iOS app

geoduck

So again: Why is Apple’s walled garden a bad thing?

This shows why a curated AppStore is better for the average user than the wild west approach of the AndroidMarket. Sure Apple blocks some stuff that you or I may want. But it also blocks a lot more stuff that you don’t want to get on your device, or your kids device, or your mom’s.

If you don’t like it, fine go Android or Jailbreak your iPhone. More power to you. But for the AVERAGE user out there, these safeguards do a lot of good and aren’t an inconvenience.

Khaled

AndroidMarket can be a central curated store and open other markets for the advanced users

Nemo

I wonder now whether the Librarian of Congress is still of the view that it is Fair Use to jailbreak the iOS?  I know that the Government can’t be sued if someone suffer damages as a result of jailbreaking their iOS device, so with no Sheriff in town, I guess you’d be on your own.

Lee Dronick

I wouldn’t have an Android phone unless I could parole break it.

Bosco (Brad Hutchings)

Correction. It does not collect the voicemail password unless it is actually in the dial string for your voicemail. This is how Gizmodo updated their story on this:

UPDATE: Phandroid heard from Lookout, who clarified a few points?namely, that “the app does collect data from your phone, but only the device’s phone number, subscriber identifier, and voicemail number fields are retrieved. SMS and browsing history are not touched by any of the apps they analyzed throughout their Blackhat conference. Your voicemail’s password is also not transmitted unless you included the password in your phone’s voicemail number field.” [Thanks, commenter @gwydion]

The phone number and subscriber ID could legitimately be used as a GUID (globally unique user id) on a phone for ad tracking. I would not be surprised if iAd used exactly those.

The important thing to watch is Google’s response. There are a lot of things they can do short of going all Taliban like Apple’s App Store. One obvious thing is augmenting the description and calling more attention to apps that use “phone calling data”.

Google requires all Android Store vendors to have a verified Google Checkout account, so that if there is something malicious, they can track down the developer.

On the surface, it’s disturbing if a true security breach can affect a million people. So if that’s what it actually is, I will have the integrity to press Google to fix the hole. But as Jeff’s story shows (“It collects user?s voicemail password”), there is a bit of misinformation being spread right now.

Just Me

AndroidMarket can be a central curated store and open other markets for the advanced users

So an advanced user is going to disassemble every app he/she gets before loading the app into the phone? This sort of nonsense could be hidden in ANY otherwise functional app. So why would an advanced user not be vulnerable to hinky apps?

Nemo

Gee, Bosco, you’ve become so much more understanding and tolerant of security breaches.  I, for one, remember you going all Taliban on Apple, when AT&T programming error disclosed the email addresses of iPad users.  You insisted that Apple and Steve Jobs be burned at the stake, even though its was AT&T programing flaw that caused the problem.  No one could persuade you that Apple wasn’t at fault and shouldn’t suffer the severest consequences, though AT&T on the next day confirmed that the error was its error and publicly apologized for it.

Now, you find it regrettable that “on the surface” this malicious app, which is the direct result of Google’s post hoc—close the barn door after the horse is gone—security model, compromises the security of millions of Android users, but it will be okay if Google somehow fixes a hole in a malicious third party app. 

Well, I doubt that Google will do anything more than remove the offending app, after the fact, from the Android MarketPlace.  I mean that I done see Google coding the app so that it works without being malicious in its effect.  But the hole that needs fixing and the only fix that will solve the problem of malware on the MarketPlace, which is a problem that will only increase in its frequency and severity, is for Google to institute methods and procedures for screening apps before it allows them into its MarketPlace.

I also understand that Google has instituted a fix to stop people from stealing developers’ apps, which apparently was trivially easy to do.  I believe that you said you are developing for Android.  How’s that working for you?  Or are all your profits disappearing into the black hole that is the MarketPlace?

Bosco (Brad Hutchings)

Yes Nemo, and how convenient is it that you are not warning Jeff and every other blogger about potential liability for libel for including errors of fact about what the app is collecting? Not to mention commenters (like, um, Nemo) that have used words like “malicious” to describe the developer’s collection of said data.

I just looked into the SDK to see what kind of information they can get with phone state permissions. I hope you all follow Tiger’s advice and post this everywhere. You’re gonna look stupid grin.

And speaking of looking stupid, you’re on a slippery slope discussing Google’s new in-app purchase verification scheme. Do some research on it before commenting. Maybe even ask someone who knows how it works and has some insight into how to use it effectively. Like all good anti-piracy measures, it can keep honest people honest and keep a lot of dishonest people honest too. From a legal standpoint, it can make breaching more airtight illegal and actionable, and centralize the breaching activity.

JonGl

So again: Why is Apple?s walled garden a bad thing?

How about a false sense of security? Anybody recall the recent app that secretly allowed tethering on the iPhone? That one slipped through the cracks. Others have as well. If some developer is going to be sneaky, they will be sneaky, and the chances of them getting through are higher than we would like to think. Furthermore, I suspect that the walled garden in the iOS realm trickles down to those other “app phone” spaces such as on Android. There is a lot of good will/naivet? out there, which the walled garden sure reinforces… Now, don’t go and say that I am saying that this is a bad thing, or that I’m blaming Apple for this Android fiasco, but the truth is, there is a false sense of security in the iOS world, and it is expanded to the rest of the app phone space as well.

-Jon

praxis22

Well said Jon,

Bill Gates once made the point that whether or not you had AIDS, was a single bit of information 1 = yes, 0 = no, (binary) so how was anybody supposed to protect against the leak of a single bit of data?

If you do not understand that what you carry in your hand is a computer, and you don’t understand computers, then you’re at the mercy of everyone that does. Just because Apple do a quick check, doesn’t mean that the app they just checked doesn’t sleep for 24 hours, (or 6 months) and then de-cloak and go about its nefarious business.

Security is a state of mind, you either think about this stuff or you don’t, if you leave somebody else to do your thinking for you, you get what you asked for, if not what you deserve.

Nabeel Ahmed

Here’s a checklist of Things To Consider Before Downloading Apps From Android Market to be safe from these attacks.

Tiger

“Just because Apple do a quick check,”

Now THAT"S a good joke. How many months of stories have we had of developers complaining how long Apple spends reviewing apps?

Quick check. Yeah.

As for the one that slipped through the cracks. It went live and within hours was yanked. That’s a pretty rapid response.

As for this problem with the Android app, here’s the story, read it for yourselves. It’s still being ignored by CNN and CNET.

JonGl

As I said… false sense of security…

-Jon

geoduck

If anyone EVER believes that being on the internet is completely secure they they are delusional. The AppStore is safER because Apple makes an effort to both prevent the bad guys from posting stuff there and because when issues come to light they are aggressive about pulling the offending app.

Just because there is still petty crime does not mean we should do away with the police.

MacKeeper_fan_Mod

That’s simply part of the Android Marketplace model. The community is the basic police force, without the need for an up-front self-appointed police force (Apple).

Can the community still screw up? Of course. But the community can let more otherwise legit stuff through too, using the principle of “good unless proven otherwise”.

geoduck

Can the community still screw up? Of course. But the community can let more otherwise legit stuff through too, using the principle of ?good unless proven otherwise?.

Would you want the FDA or CPSC to adopt that model for drug or product safety? Put any old compound on the market until someone says it’s killing people? Sell a product until someone points out that it has a tendency to explode?

Didn’t think so.

That said if you’re comfortable assuming the responsibility for protecting yourself and the risk of making a mistake then fine. Download whatever you want and run it. Enjoy your AndroidMarket. Personally I’m careful with what I download, but I like the concept of having Apple, or someone else running interference for me. They may not catch everything but it’s another level of shielding.

JonGl

Would you want the FDA or CPSC to adopt that model for drug or product safety? Put any old compound on the market until someone says it?s killing people? Sell a product until someone points out that it has a tendency to explode?

Didn?t think so.

Careful. Taking your line of reasoning would lead to a society where Big Brother would seem like freedom.

As to the existence of these agencies, and their practical usefulness, I would contend that they cause the same false sense of security and laziness that Apple does with its strict rules. People think they don’t need to check or verify. Companies think that if they keep to the minimums set by the govnt agencies, they’ve done their job. By doing so, they remove the intellect, and the self-preservation instinct from the equation, thus making any minor shortcoming of potentially disastrous proportions. Yet we only need to look around us at how these things happen in real life to know that regulations, etc. fall far short in real life. It’s like with traffic lights. In Europe (my town of Krakow, for instance), traffic agencies have begun learning that sometimes _less_ is safer. Turning off the lights, and forcing drivers to be aware and be careful because the light isn’t telling them when to go has two positive effects. 1. Traffic jams disappear, and 2. accidents go down.

Yes, this is much less “safe.” But honestly, do you want to live “safe” or free? Do we all really want to be automatons of the bureaucracy of the state or corporate entities who act as both our gatekeepers and conscience? Jailbreak forever. wink

-Jon

geoduck

I think the disagreement is because of a basic difference of philosophy.

I’m in Canada. In fact I deliberately moved to TO Canada because I like a more proactive government and regulatory structure. I think it’s the point of societies to band together and protect each other from the bad guys. I moved out of the US because after 45 years I was tired of the drive to total ‘freedom’ which results in too many predators and victims. The result of all that ‘freedom’ as I saw it was a loss of liberty as people had to spend more and more time and energy defending themselves. They simply don’t have the time to be free.

Obviously you disagree. I can respect that. That’s why there are different platforms in the marketplace. You want a more open system where there is nearly unlimited choice, albeit while accepting a bit more risk. I want a more limited selection where I can be reasonably assured that what I get is what it says it is.

That’s cool.

Peace.

JonGl

You want a more open system where there is nearly unlimited choice, albeit while accepting a bit more risk. I want a more limited selection where I can be reasonably assured that what I get is what it says it is.

I think you are still missing my point. You don’t get _more_ security. All you get is a greater _illusion_ of more security. How’s that health care doin’ for ya? It’s not just Canada. The UK is looking to privatize. I just read an article in my adopted home of Poland of some horrible results of institutionalized, centralized health care. It doesn’t really work better. The thing is, if you don’t have these “umbrellas” you don’t suffer from the delusion that they are actually parachutes. Where does the safety come from? Well, the threat of punishment in the courts, either the criminal or the civil courts.

Part of the problem in the US is that they are trying to have it both ways. It is the compromises that cause all the problems. Worse, as we see in the Apple Store situation. Generally the solution for the failure of the system is to increase the system! Do you want Apple to crack down harder and harder, limiting you, the customer more and more? Is that the situation you truly want? IIRC, the frog was happy as the water slowly came to a boil. But hey, man. peace. That’s cool… Let’s enjoy the ride…

geoduck

I think you are still missing my point. You don?t get _more_ security. All you get is a greater _illusion_ of more security.

By the same logic what’s the point of firewalls or antivirus. If they don’t stop everything then they are worthless. The point is security is not a wall. It’s a series of obstacles. Filtering, Firewalls, Antivirus, Passwords, downloads from a trusted source such as the AppStore and on and on. Each level adds a bit more. Defence in depth is necessary because no single layer is perfect. In a word yes you do get more security. It is not perfect but it is also not an illusion.

Some people will ride a motorcycle without a helmet. I will not get on a bike without one. It’s up to each person to decide but don’t try to tell me that helmets don’t save lives. I know they do. Don’t try to tell me that the curators of the AppStore don’t stop malware, because they do. In the computing world, though you have a choice. You can get programs from curated sites such as AppStore or from sites where the users rate software quality. That’s up to you. I do understand what you are saying I just think you are incorrect. Understanding does not require agreement. By curating the AppStore they ARE stopping Malware. They ARE stopping spyware. They ARE blocking apps that clash with others. That is by definition a more secure computing experience. It’s not perfect, some will get through, but that does not mean it’s valueless. It is an extra layer of security that is something I want and others, including yourself may not. That’s your choice.

How?s that health care doin? for ya?

Fantastic. Far better than I got in the US at far less cost. It is one of the prides of Canada and aside from a minority that think as you do, and seem to appear on US news channels a fair amount, the rest of us up here are quite happy with it. The same goes in Britain, and Japan, and Germany. You cannot measure public health care by a minority of disgruntled free market conservatives or the isolated malpractice case. It’s all on how it’s run and overall, at least in Canada it’s run well. From what you are saying I get that the one in Poland is not run well. That’s unfortunate. But I doubt that you would say the USAF is a waste of money because of how well the Iraqi Air Force did in the current war. Similarly don’t make claims about our system based on the one in your country. I would direct you to a quote from Stephan Hawking during the Health Care debate where he said that he was alive BECAUSE of the public system in Great Britain.
National Post

The thing is, if you don?t have these ?umbrellas? you don?t suffer from the delusion that they are actually parachutes.

Once again I understand what you are saying, I just completely disagree. It is the job of government to provide the safety net, a parachute if you will. That’s one of the reasons we have governments. Social Security to Medicare, to police, to firefighters, to the FDA, FAA, CPSA, and such are there because that IS the job of government and they do a vast amount of good. These ‘umbrellas’ DO protect Americans. Look at China where they don’t have a strong equivalent to the FDA and thousands of people are poisoned every year from contaminated products. Look to the third world where airliners crash every year because they don’t have a strong FAA to check on maintenance. Look at the US where old age is no longer feared. Before Medicare and SS old age meant poverty for most. They are not perfect, but IMO they are vastly better than the alternative.

Understand this. 20 years ago I would have agreed completely with you. I was a Reagan Republican, Libertarian to the core. I really believed that government was not the solution to the problem, it was the problem. A good person was one who was responsible for themselves and never asked for help. But a funny thing happened as I grew older. I saw people facing crises, illness without health coverage, getting ripped off without any recourse because they could not afford a lawyer, working off clock because their employer demanded it. Getting harassed and abused by the powerful because they could. 

Over the years I learned to be a Socialist.

<I thought Bryan killed the Politics forum>


Apologies to others that did not stop by for a political lecture. And now lets get back to computers shall we?

Steven Jackson

Canada’s health care is not privatized, Jon.

Lee Dronick

See today’s Joy of Tech comic

JonGl

By the same logic what?s the point of firewalls or antivirus. If they don?t stop everything then they are worthless. The point is security is not a wall. It?s a series of obstacles. Filtering, Firewalls, Antivirus, Passwords, downloads from a trusted source such as the AppStore and on and on. Each level adds a bit more. Defence in depth is necessary because no single layer is perfect. In a word yes you do get more security. It is not perfect but it is also not an illusion.

Thanks for that illustration, as it helps me realize where I missed making my point.

At issue is not how much security, but who is in control of it. You want a firewall, but do you want a Apple-sponsored firewall that only they control? Do you want the government to control it, like in China?

The issue is not how much control, but who is in control.

When you abdicate responsibility for your safety to Apple, or another corporate entity, whether it be a private, commercial enterprise or government (the largest corporation in the world, btw, is the US government), and then presume that they will always look out for _your_ best interests, and will always protect you, and that you are therefore “safe” is an illusion. That is the only point I’m trying to make. (btw, let’s not forget the hijacked iTunes accounts of only a few weeks ago. Nobody to this day knows how the accounts were hacked into)

-Jon

geoduck

At issue is not how much security, but who is in control of it. You want a firewall, but do you want a Apple-sponsored firewall that only they control? Do you want the government to control it, like in China?

It’s interesting that you bring up China. I’d suggest that China is a classic example of what happens when there is NO trust on the Internet. The government and the people do not trust each other and do everything they can to outmanoeuvre each other. That is nothing like the situation with the AppStore.

The Internet is based on trust and mutual support.
Do you code your own firewall? No you trust that Mac, Win, Ubuntu, Cisco, D-Link, etc. did their job.
Do you code your own AntiVirus and Definitions? No you trust Symantec, MacAfee, Sophos, etc. to do the job for you.
Do you download software? Then you are trusting that Apple, CNET, TuCows, Mozilla, etc. are not hosting malware.
Do you buy software? Then you are trusting that Apple, MS, Adobe, etc. have made sure there is no malware on the disk.

The fact is you are NEVER in full control of your security on the web. It is physically impossible to be totally in control of your own security on the web. You always have to trust somebody. Personally I do not see much difference between downloading something from the AppStore and what I think of as a trusted site like Mozilla. I trust them both. OTOH if you really think you can be totally responsible for your own security then your only option would be to code everything from the BIOS on up yourself and never connect to the Internet.

No man is an island.

Rodney Barbati

How about google having a section in the market for apps that have been fully verified?

I just recently bought a Droid X, and already I am getting a bad feeling about most of the apps available.  The user reviews are negative on almost every app I look at the details for…

It would be nice to have a segment of the droid market where you know the apps work and have been reviewed for security concerns, etc.  Certification could be a quality mark for developers, giving them an incentive to deliver higher quality apps.

Log-in to comment