backtop


Print 29 comment(s) - last by CZroe.. on Jul 31 at 6:19 PM


Lookout security executives presented at the Black Hat conference in Las Vegas their discovery that a popular Android app stole user info.  (Source: VentureBeat)

Millions of users expected My Little Pony and other wallpapers, but ended up getting their passwords stolen.  (Source: Mike to the Max)
Personal information may be exploited for nefarious purposes

If you download Jackeey Wallpaper from Google's Android Market for your smartphone, you might want to start worrying just about now.  The popular app has been exposed as potentially being a piece of malware designed to steal your personal info and send it to China.

John Hering, chief executive, and Kevin MaHaffey, chief technology officer at Lookout, a mobile security firm, revealed the stunning news at their presentation at the Black Hat security conference in Las Vegas today.  States MaHaffey, "Even good apps can be modified to turn bad after a lot of people download it.  Users absolutely have to pay attention to what they download. And developers have to be responsible about the data that they collect and how they use it."

Jackeey Wallpaper was downloaded millions of times (between 1.1 million and 4.6 million to be precise).  It offers popular wallpapers, such as My Little Pony and 
Star Wars.  Other apps by developer iceskysl@1sters are also collecting similar info.

The app collects your phone’s SIM card number, subscriber identification, and even your voicemail password and sends it to www.imnet.us -- a website owned by someone in Shenzhen, China.

The app warns when attempting to access your "phone info", but many users have reportedly ignored this vague warning.  At least Android has 
some warning on its approved apps though -- there's no warning on approved apps trying to access your private data on the iPhone/iPad.  Users can disable apps ability to access personal data in their Apple device's settings manually, though.

Lookout has studied over 100,000 Apple and Android apps and has found that 47 percent of Android apps and 23 percent of iPhone apps collect some sort of user information.  Some uses appear to be not directly malicious, such as collecting location information to target ads.

The security firm says that Apple and Google are doing a good job policing overtly malicious apps, but that they're having trouble handling apps who behave in a strange, but unclear fashion.  For example no one knows yet whether the Jackeey Wallpaper app did anything malicious with users' voicemail passwords.

App security issues came in to sharp focus over the last month when at least hundreds of iTunes accounts were hacked and app and in-app purchases racked up as much as $1,000 on some users accounts.  Apple was unsympathetic about the incident, suggesting users resolve it with their credit card companies.  Some of the companies didn't even have iPhones, but Apple apparently does not consider this when allowing app purchases.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Tragic
By Storkme on 7/29/2010 1:53:32 PM , Rating: 5
Man, I really wanted that my little pony wallpaper :[




RE: Tragic
By InvertMe on 7/29/2010 1:59:39 PM , Rating: 3
I could give you some posters from my daughters wall. It's covered in ponies!


RE: Tragic
By amanojaku on 7/29/2010 2:35:08 PM , Rating: 2
Is it just me, or did that sound like a desperate plea to get that crap out of your house? I'm worried that if I have girls that I'll have to see those cutesy, and probably glittery, things all over the place. Or worse, boy band posters...


RE: Tragic
By geddarkstorm on 7/29/2010 2:42:49 PM , Rating: 5
Or even worst: Twilight posters.


RE: Tragic
By JonB on 7/30/2010 9:00:44 AM , Rating: 4
You are obviously not on Team Edward!


RE: Tragic
By quiksilvr on 7/29/2010 2:21:22 PM , Rating: 5
RE: Tragic
By NullSubroutine on 7/29/2010 2:59:22 PM , Rating: 4
Too bad all your wallpapers are belong to us.


Are you kidding me?
By behemothzero on 7/29/2010 1:57:24 PM , Rating: 5
Jackeey Wallpaper was downloaded millions of times (between 1.1 million and 4.6 million to be precise )

Where's the "precise" in a range of 1.1 million to 4.6 million?




RE: Are you kidding me?
By InvertMe on 7/29/2010 2:00:16 PM , Rating: 2
I think they were kidding you - I assumed it was joke.


RE: Are you kidding me?
By melgross on 7/29/2010 2:19:18 PM , Rating: 2
Unlike the Apple App Store, the Android market doesn't give good numbers on apps downloaded. They really don't know the number of these apps out there, just that it's somewhere between those numbers.


RE: Are you kidding me?
By ZoZo on 7/29/2010 2:28:06 PM , Rating: 2
Precision is a relative concept.
A range of 1.1m to 4.6m is more precise than the range that "millions" refers to (roughly 1m to 20m, above that range people tend to switch to something else, like "tens of millions").


RE: Are you kidding me?
By leexgx on 7/30/2010 9:02:34 PM , Rating: 2
think they mean 1m on Android and 4m on iphone


RE: Are you kidding me?
By JPForums on 7/30/2010 7:28:31 AM , Rating: 3
quote:
Where's the "precise" in a range of 1.1 million to 4.6 million?


It's plenty precise. It equates to about 2.85 million downloads with a variance of only 1.75 million. The variance in downloads is only 61.4% of the nominal ... Oh, wait.


iPhone info
By melgross on 7/29/2010 2:48:43 PM , Rating: 4
I don't know why the article had to mention the iPhone in relation to this. Apps ask anytime they need location data. When you get a new app it asks if it can use personal date, if it needs that. Also, in the system prefs, you can set each app that does this to do it or not, and you can change that pref any time you like. This is much better than the way Android phones do it.

Apple also does check what apps do, unlike Google which does nothing. And Apple will quickly remove an app that it later finds violates its customer guidelines in taking info that may have slipped through. Google is pretty lax in this. Is this app, and others like it till in the Google Marketplace? If so, shouldn't they all be gone by now?




RE: iPhone info
By theplaidfad on 7/29/2010 3:06:39 PM , Rating: 1
Didn't you get the memo? It's the very "in" thing to do now to bash Apple at every possible moment, deserved, or un-deserved. The contant stream of anti-apple spam is just as annoying as the Apple fans defending the un-defendable.


RE: iPhone info
By CZroe on 7/31/2010 6:19:41 PM , Rating: 2
Backdoor in top iPhone games stole user data:

http://www.theregister.co.uk/2009/11/06/iphone_gam...

Undeserved? My, how quickly we forget.


RE: iPhone info
By TheHarvester on 7/29/2010 4:21:39 PM , Rating: 2
Question-- I realize that Apple's app store provides some additional oversight (some might argue draconian oversight) to the apps that is supplies to users. Google, I understand, does not provide this same oversight. On either device, when you install a new app, it tells you what it is requesting permission to access. Is it possible, however, that among all the various iPhone apps there are apps that have code that harvests information and sends it to China? Is Apple really going line by line with the code to figure out if anything is being used in this way? I know they look at the basic functionality of the App and generally what it does, but it seems to me they can't REALLY know exactly what the iPhone apps are doing with all the information... I mean, an app that has to have access to your location to function could be sending that to China as well, right?


RE: iPhone info
By kmmatney on 7/29/2010 4:47:36 PM , Rating: 2
I'm guessig that since you have to use the Apple API, they can proibably easily check if a program is trying to get personal information, like voicemail passwords, location info, etc...
The location functions I'm not so worried about = its the other personal information, such as passwords and contacts that is a big issue.


RE: iPhone info
By Tony Swash on 7/29/2010 7:57:17 PM , Rating: 1
quote:
Is it possible, however, that among all the various iPhone apps there are apps that have code that harvests information and sends it to China? Is Apple really going line by line with the code to figure out if anything is being used in this way? I know they look at the basic functionality of the App and generally what it does, but it seems to me they can't REALLY know exactly what the iPhone apps are doing with all the information... I mean, an app that has to have access to your location to function could be sending that to China as well, right?


Weak.

So many "what ifs", "its possible"

A system that tries to check the functionality of apps for among things malicious content before those apps go public is surely by definition less likely to distribute malware than one that doesn't.

The Apple App Store model has pros and cons as does the Google model. Customers should have the information available so that they can make an informed choice.

Apple is betting (correctly in my opinion) that after the fiasco of Windows insecurity over the last decade or so that most consumers want safety rather than some elusive notion of openness. Some people will of course much prefer the Google model and accept the calculated risks as being out weighed by the the perceived benefits of the Google model.

That's why its good if both the iPhone and Android both thrive and thus offer the consumer a choice.


Apple Troll
By droplets on 7/29/2010 10:18:52 PM , Rating: 2
I love the slick way Mick rolls Apple into this article. Food for distraction.




RE: Apple Troll
By bkslopper on 7/30/2010 4:48:52 AM , Rating: 5
Yup, we got Mick-Roll'd.


CHINA
By TheRequiem on 7/29/2010 1:34:06 PM , Rating: 1
I lived in China for awhile and everytime I hear something like this, it makes me want to organize a group of elite hax0rz and get back at them, but then I have to remind myself, they make all of our equipment, what the hell are we going to take from them? The poor kids will always take from the rich fellows...




RE: CHINA
By mcnabney on 7/29/2010 8:58:49 PM , Rating: 2
Well, we could start with about a trillion dollars in Treasuries and about twice that amount in bonds and securities. Silly Americans think that their country is still rich.


Walled Gardens
By ZachDontScare on 7/29/2010 2:25:10 PM , Rating: 1
Things like this crack me up. The whole point of the 'walled garden' approach to operating systems - basically forcing everyone to use a centralized marketplace, making people need to hack their phone for root access, restricting development to certain languages, etc - is to prevent this. But instead, it gives hackers access to millions of potential victims who dont give a second thought to security because they assume they are safe.

I'm gonna call the Walled Garden a giant FAIL




RE: Walled Gardens
By sprockkets on 7/29/2010 10:57:41 PM , Rating: 2
quote:
I'm gonna call the Walled Garden a giant FAIL


Android doesn't force people to use the marketplace, nor apparently do they approve/check their apps before sale.

Security vs. Ease of Use; advantages and disadvantages to each way of doing things.


By sciwizam on 7/29/2010 3:39:23 PM , Rating: 2
http://www.androidcentral.com/rogue-android%20app-...

With updates from the security firm and the developer of these apps.




retards
By Shadowmaster625 on 7/30/2010 10:07:38 AM , Rating: 2
This is just pathetic. How can that many millions of people be so stupid? Use open source programs that have been reviewed by people who know how to read through code.




Why the fuss?
By TechIsGr8 on 7/30/10, Rating: 0
RE: Why the fuss?
By bernardl on 7/30/2010 7:01:02 PM , Rating: 2
Yep, isn't it fascinating how greed will have killed us in less than 20 years?

What you write is actually true but the scariest thing is that history might repeat itself again and guns take over money to level the playing field once again. The only real question is how this is going to be played on us in a way that 99% of the population believes is real.

Cheers,
Bernard


"A lot of people pay zero for the cellphone ... That's what it's worth." -- Apple Chief Operating Officer Timothy Cook














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki