No announcement yet.

Millions of Android users hit by malicious data theft app

  • Filter
  • Time
  • Show
Clear All
new posts

  • Millions of Android users hit by malicious data theft app

    stolen from here

    An app distributed by Google's Android Market has collected private data from millions of users and forwarded it to servers China, validating Apple's uniquely strong stance on mobile security in the iPhone App Store.

    The exploit, tied to an app that appeared to simply load free custom background wallpapers, was downloaded "anywhere from 1.1 million to 4.6 million times. The exact number isn?t known because the Android Market doesn?t offer precise data," according to a report by Dean Takahashi of VentureBeat.

    The app "collects a user?s browsing history, text messages, your phone?s SIM card number, subscriber identification, and even your voice mail password. It sends the data to a web site, That site is evidently owned by someone in Shenzhen, China," the report noted (see the update by Lookout below).

    The data upload was only discovered afterward, through forensics performed by mobile security firm named Lookout which sells virus and malware protection software for Android, Windows Mobile and BlackBerry devices. The problem was announced at the Black Hat security conference being held in Las Vegas.

    (Update: Lookout has clarified in followup comments with AppleInsider that the intent of their "App Genome Project" research was to "identify security threats in the wild and provide insight into how applications are accessing personal data and other phone resources."

    The group noted that the Android wallpaper app was "not proven to be malicious," but that the app does "ask the user for specific information around the phone details and that information is transferred to a server [in China]."

    Correcting the original VentureBeat story, Lookout stated that "the apps from these developers send several pieces of sensitive data to a server, including a device?s phone number, subscriber identifier, and currently programmed voicemail number. The applications we analyzed did not access a device?s SMS messages, browsing history, or voicemail password (unless a user manually programmed the voicemail number on the device to include the voicemail password)."

    Lookout also reiterated there is "no proof of malicious intent and in the past apps have been a bit overzealous in getting access to sensitive data with no ill intent." Lookout compared the Android wallpaper app copying local data to a Chinese server with a recent App Store title that purported to be a flashlight app while actually including a hidden SOCKS proxy that could be used for tethering.

    Lookout added that it hasn't "yet" published a report detailing the Android wallpaper app, suggesting that it is continuing to look at the situation.)

    Mobile data theft on the increase

    The issue recalls a recent AT&T website leak that could hypothetically have enabled a malicious hacker to access 144 thousand of iPad 3G user's email addresses.

    However, the Android app data theft was actually perpetrated by malicious hackers and not just demonstrated by researchers; it involves far more sensitive data; and affected far more victims--by more than an order of magnitude.

    iOS vs Android in app security

    Apps on any platform can access personal data and forward that data to an external server, but the Lookout research found that 47 percent of the selection of Android apps it looked at incorporated third party code (which may include malicious functions), while only 23 percent of analyzed iPhone apps did.

    Apple also approves iOS apps through a strict vetting process before listing them in the App Store, while Google's Android Market app security involves simply warning the user that an app needs permissions to perform certain functions during the install.

    Unlike other mobile platforms secured by Lookout, Apple's iOS platform doesn't have a live virus problem because third party iPhone apps can only be distributed through Apple's curated App Store, and apps are forced to run in a segregated sandbox environment where they can't infect the system. That doesn't necessarily mean iOS apps can't forward user data inappropriately however; Apple has discovered and pulled apps that have violated its privacy policies.

    Apps must also be signed by a certificate created by Apple, which makes it much harder for malicious developers to anonymously distribute software designed to cause problems or steal data. Apple's security measures also make such efforts less attractive financially, despite the iOS platform's installed base being much larger than Android's.

    Exploitable vulnerabilities in the iOS platform have been reported elsewhere, including the Safari browser, but crafting a malicious attack via the browser requires luring users to a malicious site rather than simply distributing a bad app that appears to be useful and genuine.

    Lookout chief executive John Hering said in the report that "he believes both Google and Apple are on top of policing their app stores, particularly when there are known malware problems with apps," but the report noted it's "unclear what happens" when apps don't actually do what they represent.
    rc forums looking for cabinet pc atx power supply for 12/5 volt for mame cabinet and turn it on
    if your new to electronics and

  • #2
    Apple's uniquely strong stance on mobile security
    Thats a craptacular statement. The iphone has had one or two similiar to this too. Trying to validate Apple's nazi like tactics using this argument is a joke.

    My Projects - Space Invaders Bartop, Williams A-Go-Go, Galaxian Bartop, Jukebox Kiosk 1&2, Jukebox Kiosk 3, Virtual Minipin, Generic Upright, MultiCab, Rampage,


    • #3
      And it doesn't tell you which app it is!!
      I have an N1 - but luckily I don't have any wallpaper apps on it.


      • #4
        I guess just like the PC, people just have to watch out what they download. Unfortunately with the strangle holds Apple and Google are going for, it means that we are almost forced to leave the 'looking for bad apps' up to them.

        It was only a few weeks ago that researchers forced Google to prove that they had the power to kill apps on handsets remotely:
        I am not sure what's worse really; Companies having the power to monitor, kill, and install apps remotely, or people being tricked into actually thinking they are in a secure network being watched by these companies. Either way it sucks....


        • #5
          Originally posted by spot View Post
          And it doesn't tell you which app it is!!
          I have an N1 - but luckily I don't have any wallpaper apps on it.
          i noticed that bit as well. how convenient of them to miss the vital part out
          rc forums looking for cabinet pc atx power supply for 12/5 volt for mame cabinet and turn it on
          if your new to electronics and


          • #6
            Originally posted by @lien_Zed View Post
            validating Apple's uniquely strong stance on mobile security
            I'll second Brad's comment on this.

            The iPhone is one of the worst mobile devices for security. It has bugger all safe guards against data loss, and the ones that are there are trivial to bypass. We've got business uses begging us for iPhones at work, but we just can't secure the things down well enough to meet with our security policies (which aren't that strict, nor out of the ordinary for the finance industry). It's simply trivial to take a pin-protected iPhone, plug it into a standard PC and have all of the data off it in minutes with freely available tools.

            While Google and Android developers certainly need to up their game and get their platform more secure, for Apple Insider to make the above statement is ridiculous.
            | |


            • #7
              A little more info on this.

              The apps in question came from two developers: 'jackeey,wallpaper', whose developer name has changed to 'callmejack' since the research was released, and 'IceskYsl@1sters!'. The applications do send data back to a central server, but Lookout said that this is not necessarily suspicious.


              • #8
                In other news...



                Users Viewing Topic: 0 members and 1 (guests)