Not too long ago we discussed keeping your Android device safe from malicious attacks; the general advice was that it doesn’t hurt to take a moment to look at what that cool app is requesting access to, before you download it. This week at the Blackhat security conference, a company by the name of Lookout detailed an app on the market that was extremely questionable in nature:
During our research, we found series of wallpaper applications in the Android Market are gathering seemingly unnecessary data. The wallpaper applications that we analyzed transmitted several pieces of sensitive data to a server over an unencrypted network connection. The data included the device’s phone number, subscriber identifier (e.g. IMSI), and the currently entered voicemail number on the phone (see below for technical details). While this sort of data collection from a wallpaper application is certainly suspicious, there’s no evidence of malicious behavior. There have been cases in the past on other mobile platforms where well-intentioned developers are simply over-zealous in their data gathering, without having malicious intent.
To be clear, while a simple wallpaper app needs access to such data is very suspect, as of this posting nothing malicious has been discovered in connection with the apps in question. Still, it’s a reminder of just how easily one can open their device to unauthorized access. While various figures are being used for the total number of app downloads, the smallest number being mentioned is 50,000. There are plenty of security apps to choose from to help keep your data safe, including one from Lookout.
You can read more about Lookout’s report HERE; and while you’re at it, it’s worth reading this post on launcher spam.
Source: MyLookout blog
About the Author
I’m curious as to which apps are listed under this “suspicious” category. They cannot do much, but they can sure as heck listen to our voicemails (worst case) and sell our personal information to 3rd parties for profit. Is this legal?
rst_ack,
From the source:
The wallpaper apps that we analyzed came from two developers “jackeey,wallpaper” (whose developer name has changed to “callmejack” since we originally released our research) and “IceskYsl@1sters!”.
I’m curious as to which apps are listed under this “suspicious” category. They cannot do much, but they can sure as heck listen to our voicemails (worst case) and sell our personal information to 3rd parties for profit. Is this legal?
rst_ack,
From the source:
The wallpaper apps that we analyzed came from two developers “jackeey,wallpaper” (whose developer name has changed to “callmejack” since we originally released our research) and “IceskYsl@1sters!”.
rst_ack,
From the source:
The wallpaper apps that we analyzed came from two developers “jackeey,wallpaper” (whose developer name has changed to “callmejack” since we originally released our research) and “IceskYsl@1sters!”.
I’m curious as to which apps are listed under this “suspicious” category. They cannot do much, but they can sure as heck listen to our voicemails (worst case) and sell our personal information to 3rd parties for profit. Is this legal?
I think the security design of android might be a bit flaw in which we have to agree with the permission during installation and after that we can’t change or restrict the app anymore. And there is no clear reason on why any app from market need those permission in the first place.
I think the security design of android might be a bit flaw in which we have to agree with the permission during installation and after that we can’t change or restrict the app anymore. And there is no clear reason on why any app from market need those permission in the first place.
I think the security design of android might be a bit flaw in which we have to agree with the permission during installation and after that we can’t change or restrict the app anymore. And there is no clear reason on why any app from market need those permission in the first place.
I think Android users and Google are kind of stuck between a rock and a hard place right now because if, for example, they implemented a stricter app-approval system (Google APProval would be a cool name for that sytem, btw) – Android users will most likely be upset because the Apple-mentality it will bring to mind but in doing so, maybe they will be able to prevent some of the malicious applications from entering the market. I have never used an iPhone so I can’t vouch for the truth in this, but I have heard that it really isn’t difficult to sneak malicious / misleading software into the Apple App Store so maybe this really isn’t the answer.
My thought was that if Google required each individual permission be approved, possibly people would be more inclined to read that disclaimer. If they had to say “yes – approve permission X. This permission grants the app access to view files on your SD card” or what have you. It would do this for each permission. The only thing I’m thinking is that, as you guys know, sometimes the list of permissions is rather lengthy so not a whole lot of people are going to be happy having to click “yes – approve” that many times. Probably, in all reality, people would just click “yes” over and over, just ignoring the disclaimers.
What do you guys think? I don’t really think malicious software on Android has gotten to be a major threat just yet, though.
I think Android users and Google are kind of stuck between a rock and a hard place right now because if, for example, they implemented a stricter app-approval system (Google APProval would be a cool name for that sytem, btw) – Android users will most likely be upset because the Apple-mentality it will bring to mind but in doing so, maybe they will be able to prevent some of the malicious applications from entering the market. I have never used an iPhone so I can’t vouch for the truth in this, but I have heard that it really isn’t difficult to sneak malicious / misleading software into the Apple App Store so maybe this really isn’t the answer.
My thought was that if Google required each individual permission be approved, possibly people would be more inclined to read that disclaimer. If they had to say “yes – approve permission X. This permission grants the app access to view files on your SD card” or what have you. It would do this for each permission. The only thing I’m thinking is that, as you guys know, sometimes the list of permissions is rather lengthy so not a whole lot of people are going to be happy having to click “yes – approve” that many times. Probably, in all reality, people would just click “yes” over and over, just ignoring the disclaimers.
What do you guys think? I don’t really think malicious software on Android has gotten to be a major threat just yet, though.
I think Android users and Google are kind of stuck between a rock and a hard place right now because if, for example, they implemented a stricter app-approval system (Google APProval would be a cool name for that sytem, btw) – Android users will most likely be upset because the Apple-mentality it will bring to mind but in doing so, maybe they will be able to prevent some of the malicious applications from entering the market. I have never used an iPhone so I can’t vouch for the truth in this, but I have heard that it really isn’t difficult to sneak malicious / misleading software into the Apple App Store so maybe this really isn’t the answer.
My thought was that if Google required each individual permission be approved, possibly people would be more inclined to read that disclaimer. If they had to say “yes – approve permission X. This permission grants the app access to view files on your SD card” or what have you. It would do this for each permission. The only thing I’m thinking is that, as you guys know, sometimes the list of permissions is rather lengthy so not a whole lot of people are going to be happy having to click “yes – approve” that many times. Probably, in all reality, people would just click “yes” over and over, just ignoring the disclaimers.
What do you guys think? I don’t really think malicious software on Android has gotten to be a major threat just yet, though.
I agree Nate, not yet, but one does have to pay attention to what an app wants perms wise.
This is nothing new, we have dealt with this in computers for as long as we’ve had them. Unfortunately, for the masses, they want others to think for them.
I agree Nate, not yet, but one does have to pay attention to what an app wants perms wise.
This is nothing new, we have dealt with this in computers for as long as we’ve had them. Unfortunately, for the masses, they want others to think for them.
I agree Nate, not yet, but one does have to pay attention to what an app wants perms wise.
This is nothing new, we have dealt with this in computers for as long as we’ve had them. Unfortunately, for the masses, they want others to think for them.
I’m use android phone. i think this application bery usefull for security.