Malicious Android wallpaper app downloaded by millions
Millions of Android smartphone users have downloaded a malicious wallpaper application that collects their personal data and sends it to a mysterious Chinese website, according to data uncovered by mobile security firm Lookout. Speaking Wednesday at the Black Hat security conference in Las Vegas, Lookout CEO John Hering and CTO Kevin Mahaffey said anywhere from 1.1 million to 4.6 million consumers have downloaded the Jackeey Wallpaper application (the exact number is unknown because Android Market does not supply exact download data)--the app, which features branded wallpapers spotlighting franchises ranging from Star Wars to My Little Pony, collects the user's browsing history, text messages, SIM card number, subscriber identification and voicemail password, relaying the data to www.imnet.us, a website owned by an unidentified figure in Shenzhen, China.
"Even good apps can be modified to turn bad after a lot of people download it," Mahaffey said. "Users absolutely have to pay attention to what they download. And developers have to be responsible about the data that they collect and how they use it."
Lookout discovered the Jackeey Wallpaper in conjunction with the App Genome Project, a study of application behaviors encompassing more than 100,000 free Android and iPhone apps. The App Genome Project indicates that many applications access personal data on a regular basis, typically to support functions like ad serving--roughly 47 percent of Android apps access some kind of third-party code, compared to 23 percent of iPhone apps.
Google cites violations of the Android Market Developer Distribution Agreement or Content Policy as the catalysts behind most app removals. In the event a malicious app poses a threat, Google also maintains technologies and processes to remove installed apps from Android devices, adding it sends the user a notification in the event it deletes software from their handset. "In case of an emergency, a dangerous application could be removed from active circulation in a rapid and scalable manner to prevent further exposure to users," Android Security lead Rich Cannings wrote on the Android Developers Blog in late June. "While we hope to not have to use it, we know that we have the capability to take swift action on behalf of users' safety when needed."
Updated Aug. 4, 2010: Google lifted a suspension on the Jackeey Wallpaper application after determining the Android app does not transmit consumers' text messages and browser history to the www.imnet.us website, and only accesses personal information upon receiving user authorization. VentureBeat admits it incorrectly reported the original story. "The developer's applications have been reviewed and the suspension has been lifted," a Google spokesperson said.
For more on the Lookout app study:
- read this VentureBeat article
Google activates Android Market kill switch
Google aggressively wooing iPhone developers to Android
Can Google solve Android fragmentation?
ABI forecasts 800 million Android app downloads in 2010