[Update: Google has reviewed the wallpaper apps and lifted the ban on them.]
A questionable Android mobile wallpaper app that collects your personal data and sends it to a mysterious site in China, has been downloaded millions of times, according to data unearthed by mobile security firm Lookout.
That means that apps that seem good but are really stealing your personal information are a big risk at a time when mobile apps are exploding on smartphones, said John Hering, chief executive, and Kevin MaHaffey, chief technology officer at Lookout, in their talk at the Black Hat security conference in Las Vegas today. (See our roundup of all Black Hat and Defcon stories).
“Even good apps can be modified to turn bad after a lot of people download it,” MaHaffey said. “Users absolutely have to pay attention to what they download. And developers have to be responsible about the data that they collect and how they use it.”
The app in question came from Jackeey Wallpaper, and it was uploaded to the Android Market, where users can download it and use it to decorate their phones that run the Google Android operating system. It includes branded wallpapers from My Little Pony and Star Wars, to name just a couple.
Update: Lookout notes it does not capture browsing history and text messages. It collects your browsing history, text messages, your phone number, subscriber identification, and even your voicemail phone number password, as long as it is programmed automatically into your phone. It sends the data to a web site, http://www.imnet.us. That site is evidently owned by someone in Shenzhen, China. The app has been downloaded anywhere from 1.1 million to 4.6 million times. The exact number isn’t known because the Android Market doesn’t offer precise data. The search through the data showed that Jackeey Wallpaper and another developer known as iceskysl@1sters! (which could possibly be the same developer, as they use similar code) were collecting personal data. The wallpaper app asks for permission to access your “phone calls,” but that isn’t necessarily a clear warning. While suspicious, Lookout says there isn’t evidence of malicious behavior.
The Lookout executives found the questionable app as part of their App Genome Project. Lookout is a mobile security firm, and it logged data from more than 100,000 free Android and iPhone apps as part of the project to analyze how apps behave. It found that the apps access your personal data quite often. On Android, each user is asked if they give their permission to access an app, but on the iPhone, where Apple approves apps, no permission is needed.
Roughly 47 percent of Android apps access some kind of third-party code, while 23 percent of iPhone apps do. The executives also found that many apps use third-party software programs to do things such as feed ads into an app. Often, developers unquestioningly use the software development kits of those third parties in their apps, even if they don’t know what they do. In many cases, there is a good reason for the use of personal information. Ads, for instance, can be better targeted if the app knows a user’s location.
Hering said in a press conference afterward that he believes both Google and Apple are on top of policing their app stores, particularly when there are known malware problems with apps. But it’s unclear what happens when apps behave as the wallpaper apps do, where it’s not clear why they are doing what they are doing. [Update: Google has said it has suspended the wallpaper app while it investigates the matter].