Google declares suspicious Android wallpaper apps safe, lifts ban
July 9-10, 2013
San Francisco, CA
San Francisco, CA
Google has lifted a suspension on Android Market wallpaper apps that were caught sending users’ personal information overseas.
The wallpaper apps stirred controversy last week because the apps accessed mobile phone users’ personal information and sent them to a website in Shenzhen, China, for no apparent reason.
The app asks for your permission to access “phone calls” data on your phone. It then sends device information, subscriber identification, phone number, region, and voicemail phone number to the app developer’s website.
The controversy grew in part because we incorrectly reported in our initial post that the app also sent your text messages and browser history to the website. We corrected the error as soon as we heard the correct information. By that time, news had spread far and wide.
A Google spokesman said, “The developer’s applications have been reviewed and the suspension has been lifted.”
The developer of the wallpaper apps goes by the names Jackeey Wallpaper and Iceskysl. He confirmed via email that his apps had been restored. He said Google told him, “Our investigation has concluded that there is no obvious malicious code in your apps, though the implementation accesses data that it doesn’t need to.”
Google gave the developer suggestions about how he could improve his apps by following practices such as minimizing permissions and not collecting unnecessary information. The developer said he collected subscriber identification and phone number because some people complained that they lost the apps when they changed phones. He also said he collected the device data so that he could properly design wallpapers.
John Hering, chief executive of mobile security firm Lookout, made that point last week when he and chief technology officer Kevin MaHaffey brought up the Android Wallpaper app, which has dozens of versions available that redecorate your phone’s screen with images of My Little Pony or Star Wars. They did not say that the app stole data such as text messages and browser history. (Here is Lookout’s own statement on the wallpaper apps.)
Hering said that the apps did not appear to be malicious, but they were suspicious because they gathered information that a wallpaper app developer didn’t need in order to make the wallpaper app run. This is a common occurrence in the world of mobile apps, where developers don’t necessarily pay enough attention to the privacy of their users.
Hering and MaHaffey brought up the wallpaper app in a talk at the Black Hat conference in Las Vegas last week about their App Genome Report, which analyzed 100,000 Android and iPhone apps. The Lookout executives never said the wallpaper apps were malicious, but they did say it was suspicious that the apps were collecting unnecessary information. That has happened before with other app developers such as Aurora Feint and Storm8. Both of those companies corrected their data collection practices when it was brought to their attention.
Lookout found that the wallpaper apps sent the personal information — phone number, subscriber ID, and voicemail information — in unencrypted form to a website. If someone had hacked the website, they could have collected that personal data. But there is no evidence that has happened. The wallpaper apps have been downloaded anywhere from 1.1 million to 4.6 million times.
“We see this as an opportunity to educate developers on how not to make this mistake and to ensure that they keep their user’s information safe,” Hering said.
