Skip to comments.Millions of Android users hit by malicious data theft app
Posted on 02/02/2011 5:31:09 PM PST by Swordmaker
An app distributed by Google's Android Market has collected private data from millions of users and forwarded it to servers China, validating Apple's uniquely strong stance on mobile security in the iPhone App Store.
The exploit, tied to an app that appeared to simply load free custom background wallpapers, was downloaded "anywhere from 1.1 million to 4.6 million times. The exact number isnt known because the Android Market doesnt offer precise data," according to a report by Dean Takahashi of VentureBeat.
The app "collects a users browsing history, text messages, your phones SIM card number, subscriber identification, and even your voice mail password. It sends the data to a web site, www.imnet.us. That site is evidently owned by someone in Shenzhen, China," the report noted (see the update by Lookout below).
The data upload was only discovered afterward, through forensics performed by mobile security firm named Lookout which sells virus and malware protection software for Android, Windows Mobile and BlackBerry devices. The problem was announced at the Black Hat security conference being held in Las Vegas.
(Update: Lookout has clarified in followup comments with AppleInsider that the intent of their "App Genome Project" research was to "identify security threats in the wild and provide insight into how applications are accessing personal data and other phone resources."
The group noted that the Android wallpaper app was "not proven to be malicious," but that the app does "ask the user for specific information around the phone details and that information is transferred to a server [in China]."
Correcting the original VentureBeat story, Lookout stated that "the apps from these developers send several pieces of sensitive data to a server, including a devices phone number, subscriber identifier, and currently programmed voicemail number. The applications we analyzed did not access a devices SMS messages, browsing history, or voicemail password (unless a user manually programmed the voicemail number on the device to include the voicemail password)."
Lookout also reiterated there is "no proof of malicious intent and in the past apps have been a bit overzealous in getting access to sensitive data with no ill intent." Lookout compared the Android wallpaper app copying local data to a Chinese server with a recent App Store title that purported to be a flashlight app while actually including a hidden SOCKS proxy that could be used for tethering.
Lookout added that it hasn't "yet" published a report detailing the Android wallpaper app, suggesting that it is continuing to look at the situation.)
Mobile data theft on the increase
The issue recalls a recent AT&T website leak that could hypothetically have enabled a malicious hacker to access 144 thousand of iPad 3G user's email addresses.
However, the Android app data theft was actually perpetrated by malicious hackers and not just demonstrated by researchers; it involves far more sensitive data; and affected far more victims--by more than an order of magnitude.
iOS vs Android in app security
Apps on any platform can access personal data and forward that data to an external server, but the Lookout research found that 47 percent of the selection of Android apps it looked at incorporated third party code (which may include malicious functions), while only 23 percent of analyzed iPhone apps did.
Apple also approves iOS apps through a strict vetting process before listing them in the App Store, while Google's Android Market app security involves simply warning the user that an app needs permissions to perform certain functions during the install.
Unlike other mobile platforms secured by Lookout, Apple's iOS platform doesn't have a live virus problem because third party iPhone apps can only be distributed through Apple's curated App Store, and apps are forced to run in a segregated sandbox environment where they can't infect the system. That doesn't necessarily mean iOS apps can't forward user data inappropriately however; Apple has discovered and pulled apps that have violated its privacy policies.
Apps must also be signed by a certificate created by Apple, which makes it much harder for malicious developers to anonymously distribute software designed to cause problems or steal data. Apple's security measures also make such efforts less attractive financially, despite the iOS platform's installed base being much larger than Android's.
Exploitable vulnerabilities in the iOS platform have been reported elsewhere, including the Safari browser, but crafting a malicious attack via the browser requires luring users to a malicious site rather than simply distributing a bad app that appears to be useful and genuine.
Lookout chief executive John Hering said in the report that "he believes both Google and Apple are on top of policing their app stores, particularly when there are known malware problems with apps," but the report noted it's "unclear what happens" when apps don't actually do what they represent.
Thursday, July 29, 2010
If you want on or off the Mac Ping List, Freepmail me.
yeah, just posted because of the update with counts of the number of people who downloaded the app in question, which was just posted with the completion of the research on it, I think... It might be FUD because of the pre-orders of iPhones on Verizon due to start tomorrow.
All systems are vulnerable, but Apple has the proper stance on this. The barrier to getting product into these ap stores had better be damned high, and IANAL but I’d think the companies fronting the stores could be open to some liability if not.
When was this updated? It looks like the URL still goes to the original article.
Soon, very soon, I’ll be shitcanning my Droid piece of cow feces for an Verizon iPhone....FINALLY!!
What about current sales?
Which is it?
Granted, sending user data anywhere is always suspect, and I'm certainly not defending or justifying.... just asking. Is there now proof of malice? Or is it still only suspected?
Check sales after you don’t have to use AT&T. Many, me included, don’t want an AT&T account.
Cool... I’m going from a caveman with no cell to android... nice to know how secure these “smart” phones are!
get used to it. linux will end up running everything, and some people don’t know that yet.
Good question. Several news media picked it up today, so I assumed the update was today... But there is no proof of that. That’s why I suspected FUD.
Okay, which app was it (name)? That would be something I, as an Android user, would really like to know. I read the article twice and didn’t see the name. I hate it when they do that.
Discounting the non-Android Androids 27%, it's still being beat out by iPhones 28%, and both are beating RIM also at 27%, according to Nielson.
Get used to what?
Linux is a fine OS, quite suitable for a lot of things (I use it for most of my servers at work and home), but to say it will fill every available application is a little over-reaching, no?
Like I said, I smell FUD in the air... Regardless of who it’s directed toward, it is still FUD.
You'd think the media would vet the stories a little better, but apparently not.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.