Personal data about millions of Android users could be sent to a mysterious Chinese website thanks to a set of wallpaper apps in the Android Market.
That’s according to mobile security firm Lookout, which discovered the questionable apps as part of its new App Genome Project, an effort to identify security threats in the wild and provide insight into how applications are tapping into personal data and accessing other phone resources.
The apps include branded wallpapers from “Star Wars” and “My Little Pony.” Created by developers “jackeey,wallpaper” — whose developer name has since changed to “callmejack” — and “[email protected]!,” they collect the device’s phone number, subscriber identifier and currently programmed voicemail number, Lookout spokesperson Erika Shaffer told LinuxInsider.
‘We Have Suspended This Application’
That information is then sent to www.imnet.us, a site owned by someone in Shenzhen, China, VentureBeat reported.
Lookout presented its discovery Wednesday at the Black Hat security conference in Las Vegas.
“We have suspended this application while we investigate further,” Google spokesperson Jay Nancarrow told LinuxInsider.
Millions of Downloads
The apps gain access to the data in question via “android.permission.READ_PHONE_STATE,” which grants them access to APIs, Lookout explained Thursday on a company blog.
They have been downloaded somewhere between one million and four million times, Shaffer noted.
“While the data this app is accessing is certainly suspicious coming from a wallpaper app, we want to be clear that there is no evidence of malicious behavior,” Lookout noted in its blog post. “There have been cases in the past where applications are simply a little overzealous in their data gathering practices, but not because of any ill intent.”
Less Likely on Android
Lookout’s App Genome Project has already scanned nearly 300,000 applications and fully mapped nearly 100,000, the company says.
Early findings show differences in the sensitive data that is typically accessed by Android and iPhone applications and a proliferation of third-party code in applications across both platforms.
Applications on Android are generally less likely than those on iPhone to be capable of accessing a person’s contact list or retrieving their location, Lookout found. Specifically, 29 percent of free applications on Android were found to be able to access a user’s location, compared with 33 percent of free apps on the iPhone.
Nearly twice as many free applications on the iPhone have the ability to access people’s contact data as do on the Android platform, Lookout reported.
The App Genome Project also found that a large proportion of applications contain third-party code with the ability to interact with sensitive data in a way that may not be apparent to users or developers. Forty-seven percent of free Android applications included such code, while 23 percent did on the iPhone, Lookout found.
Such code is typically used for advertising or analytics, it noted.
“While third-party code is widespread on both applications, most of this code is from advertising networks and for analytics purposes which have a legitimate need for that data,” Shaffer explained. “It’s not a bad use of personal information.”
Not Necessarily Malicious
Even the wallpaper app was “not proven to be malicious,” Shaffer stressed.
Nevertheless, “while the user agrees to this and knows this data is being accessed, this is an example of where it’s not clear why that data is being accessed or how it might be used,” Shaffer pointed out.
“The App Genome Project is an important step in securing our mobile phones against threats,” asserted John Hering, CEO of Lookout. “Early results point to the need for developers to be more aggressive about protecting consumers’ personal information, including what information is accessed, what is sent off the phone, and how it is stored.”
‘Users Get Hurt’
With the Android Market “exploding” in popularity, “these are exciting times for users, but it can also be like the wild, wild west,” telecom analyst Jeff Kagan told LinuxInsider.
“It is exciting, and you can find apps to do most anything, but that does not mean these apps are safe,” Kagan explained. “When bad apps are found, they are taken out of the system, but in many cases users get hurt before that happens.”