ALERT! Malicious Android Wallpaper App Raided Personal Data

[furbearingmammal]

With a "potential" or "alleged" security hole of this magnitude, I think reposting the information in the news section is a Good Thing. Thanks CK!

 

[hookbill]

That wallpaper looks horrible. I double checked just to make sure but I've never downloaded anything like that.

 

[devinhfox]

Just installed Lookout. It indicates it has access to my personal data.....ummmmm what???? This is considered safe??

Sent from my Droid using Tapatalk

 

[Shadez]

Would be too much for you to update this with correct information

Would it be to much for you to read the thread before jumping the gun?

I did. There updates to this story long before it was posted here yet the main topic, which is viewable on the front page still has false information. So how is that jumping the gun?

Because if people read the thread they will see the updates. We dont have an AP style news ticker. And as far as it being old news, the update one here was posted within minutes of Lookpout posting the following:

Update and Clarification of Analysis of Mobile Applications at Blackhat 2010

July 29

This week at Blackhat, we released the first findings from the App Genome Project. Our goal with this research is to help make people aware of the capabilities of mobile apps so that they can be vigilant while downloading.

Mobile applications on all platforms–iPhone, BlackBerry, Android, and Symbian–can potentially gather sensitive data from users and we think it’s important that both developers and users act responsibly. The Android permission model, for example, takes steps to inform users of the capabilities of apps, including what personal data the app could be accessing, thus empowering users to evaluate the apps they download and make good decisions.

During our research, we found series of wallpaper applications in the Android Market are gathering seemingly unnecessary data. The wallpaper applications that we analyzed transmitted several pieces of sensitive data to a server over an unencrypted network connection. The data included the device’s phone number, subscriber identifier (e.g. IMSI), and the currently entered voicemail number on the phone (see below for technical details). While this sort of data collection from a wallpaper application is certainly suspicious, there’s no evidence of malicious behavior.

There have been cases in the past on other mobile platforms where well-intentioned developers are simply over-zealous in their data gathering, without having malicious intent.

The wallpaper apps that we analyzed came from two developers “jackeey,wallpaper” (whose developer name has changed to “callmejack” since we originally released our research) and “IceskYsl@1sters!”. According to androlib, applications from “jackeey,wallpaper” are estimated to have been download 1-4 million times.

Nearly all of the wallpaper applications that we analyzed (more than 80) by “jackeey,wallpaper” and “IceskYsl@1sters!” requested the permission “android.permission.READ_PHONE_STATE” which grants the application access to APIs to access the device’s phone number, subscriber id, and more. Interestingly enough, a few of the wallpaper apps by “IceskYsl@1sters!” did not request access to the phone state permission.

Looking closer at the applications using disassembly tools, we’re able to inspect what’s actually happening inside of the app. We found that apps from both developers shared common code inside of a class named “SyncDeviceInfosService”. Here’s an excerpt from one of the app’s implementation of the class. Because the “getDevice_info” method is quite long, we’ve only included the calls to sensitive APIs.

.method protected getDevice_info()Ljava/lang/String;
...
invoke-virtual {v7}, Landroid/telephony/TelephonyManager;->getDeviceId()Ljava/lang/String;
...
invoke-virtual {v7}, Landroid/telephony/TelephonyManager;->getLine1Number()Ljava/lang/String;
...
invoke-virtual {v8}, Landroid/telephony/TelephonyManager;->getSimSerialNumber()Ljava/lang/String;
...
invoke-virtual {v8}, Landroid/telephony/TelephonyManager;->getSubscriberId()Ljava/lang/String;
...
invoke-virtual {v8}, Landroid/telephony/TelephonyManager;->getVoiceMailNumber()Ljava/lang/String;

As you can see, there is code in the wallpaper applications that accesses sensitive data. It’s important to note that not all applications that access sensitive data actually transmit it off of the device. In order to see what sort of information the wallpaper applications transmit to the internet, we analyzed the network traffic generated by the application. When we used the application, one request in particular stood out, an unencrypted HTTP request to a server named “imnet.us”. Below is the raw request:


POST /api/wallpapers/log/device_info?locale=en-rUS&version_code=422&w=320&h=480&... [Note: irrelevant parameters removed]
Content-Length: 1146
Content-Type: application/x-www-form-urlencoded
Host: Home - Jokes Paltform,funny lift for your
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
Expect: 100-Continue
uniquely_code=000000000000000&device_info=device_id%3D000000000000000%26device_software_version%3D
null%26build_board%3Dunknown%26build_brand%3Dgeneric%26build_device%3Dgeneric%26build_display%3Dsdk-eng+2.2+FRF42+36942+test-keys%26build_fingerprint%3D
generic%2Fsdk%2Fgeneric%2F%3A2.2%2FFRF42%2F36942%3Aeng%2Ftest-keys%26build_model%3Dsdk%26build_product%3Dsdk%26build_tags%3D
test-keys%26build_time%3D1273720406000%26build_user%3Dandroid-build%26build_type%3Deng%26build_id%3DFRF42%26build_host%3De-honda.mtv.corp.google.com%26build_version_release%3D2.2%26build_version_sdk_int%3D
8%26build_version_incremental%3D36942%26density%3D1.0%26height_pixels%3D480%26scaled_density%3D
1.0%26width_pixels%3D320%26xdpi%3D160.0%26ydpi%3D160.0%26line1_number%3D15555218135%26network_country_iso%3D
us%26network_operator%3D310260%26network_operator_name%3DAndroid%26network_type%3D3%26phone_type%3D
1%26sim_country_iso%3Dus%26sim_operator%3D310260%26sim_operator_name%3DAndroid%26sim_serial_number%3D
89014103211118510720%26sim_state%3D5%26subscriber_id%3D310260000000000%26voice_mail_number%3D
%2B15552175049%26imsi_mcc%3D310%26imsi_mnc%3D260%26total_mem%3D35885056


Decoding the data in the POST request, we can see that several pieces of sensitive data are being sent to a server:

sim_serial_number=89014103211118510720
subscriber_id=310260000000000
line1_number=15555218135
voice_mail_number=+15552175049


While the data this app is accessing is certainly suspicious coming from a wallpaper app, we want to be clear that there is no evidence of malicious behavior. There have been cases in the past where applications are simply a little overzealous in their data gathering practices, but not because of any ill intent.

We’ve been working with Google to investigate these apps and they’re on top of it.

Overall, our goal is to help users and developers alike across all mobile platforms to be responsible and vigilant in ensuring a safe mobile experience.

Update and Clarification of Analysis of Mobile Applications at Blackhat 2010 | The Official Lookout Blog

 

[pilot25]

I downloaded the windows7 wallpaper long long time ago and used it. I'm I Fcked?

 

[RW-1]

No comment here. But I never use those apps for wallpaper, I'll go out and grab my own images.

 

[djkms]

IMO there needs to be a WAY better form of security and it starts with google.

ANY one of these app developers can go rogue and steal our information. The problem is this can happen to any app on the market, it could happen with a app you use for years and TRUST. Lets say there is a app that you have used for 2 years and updates every other day, chances are people will get lazy or trusting and not read what the app has access to when updating..

 

[Lucas5]

i agree. there needs to be better security, but dev's can't simply slip in additional security w/o raising a flag. the market app will alert you on an app update if the security permissions change suddenly.
my concern is that such a concern for security on a phone SHOULDN'T be necessary. This is a phone and one day your mother or grandfather might buy one. I'm sure they won't have the technical know-how. It's unfortunately, but things will need to be dumbed down and security beefed up. that's why apple's products are so successful, because they're dumbed down.

 

[Bear in NM]

This whole process of installing aps and trying to review at installtion is certainly troublesome at best.

Back when the phone was first rooted, "everyone" recommended and installed this certain screen capturing ap. When I went to install, the list of permissions was what looked like every aspect of the phone. I immediately called bs, and did not download. I revisited the app a few weeks ago, and lo and behold the list of permissions made more sense.

So I think there is some indication that perhaps either dev. laziness does indeed exist, or enough folks called bs to the developer to get them to become unlazy. The problem is trying to cypher what accesses to make sense for a particular app. One of the reasons I have been disappointed that Droid Wall has not been working with 2.2. It would be handy to have a program that you could use to manually kill an apps access to the network, on an individual basis.

I know a lot of folks like to get ballistic whenever we have a Android Virus thread. Well perhaps virus is no longer the right phrase. As much as folks love to knock windows and proclaim the virtues of Linux/Amdroid, we got some holes that certainly need filling.

And folks, whether the first install or an update, the market will tell you what permissions an app is requesting. I would heartily suggest reading them, and if uncertain, drop the dev. a question. Most have ways to be contacted. And if enough of us do this, perhaps this in and of itself will help dev's become "unlazy".

Craig

 

[Bear in NM]

Oops, forgot to add, you can go into your manage applications under setting and view installed apps pemissions.

Craig

 

[aminaked]

Personal information...what is everyone hiding? The only thing, and correct me if I'm wrong, that was really sensitive is that it could've stolen your voicemail password if you had entered it as one of your contacts...like *86,,[password]

 

[djkms]

Personal information...what is everyone hiding? The only thing, and correct me if I'm wrong, that was really sensitive is that it could've stolen your voicemail password if you had entered it as one of your contacts...like *86,,[password]

Really!?!?! your just kidding asking this right?

I consider personal information:
My phone #, email, address (not that its in my phone but the ability is there), friends/family numbers/email, websites visited, passwords, logins, you name it.

Lets take for example a replacement keyboard app. It could theoretically log every keystroke, see my phone number, address, email, the possibilities are endless. A cell phone is way less secure than a pc with a good antivirus and is a hub of personal information with what smart phones can do today.

 

[aminaked]

Personal information...what is everyone hiding? The only thing, and correct me if I'm wrong, that was really sensitive is that it could've stolen your voicemail password if you had entered it as one of your contacts...like *86,,[password]

Really!?!?! your just kidding asking this right?

I consider personal information:
My phone #, email, address (not that its in my phone but the ability is there), friends/family numbers/email, websites visited, passwords, logins, you name it.

Lets take for example a replacement keyboard app. It could theoretically log every keystroke, see my phone number, address, email, the possibilities are endless. A cell phone is way less secure than a pc with a good antivirus and is a hub of personal information with what smart phones can do today.

No, not kidding. My phone number is in the phone book. I have numerous email addresses all over my web pages. My address is in the phone book...or you can just walk up to it. My friends and family are also in the phone book and their email addresses are on the internet.

As far as web sites I've visited and passwords, you have a good point. I trust the maker of dolphin. Because Android is Linux, another app shouldn't be able to access dolphin's data.

As far as the keyboard replacement, yes you need to trust where it comes from. Same goes for ROMs. Some software, you really need to trust. As for the rest, be careful what privileges you allow and what you type in.

 

[aminaked]

I did not think to check too closely during all the updates that followed.

I've done this too. This is a pretty big problem. Solving it isn't easy because it relies on getting the user to read and think first and THEN press install. Good luck!

 

[TuBitMittens]

What is the actual name of the app?????????????