backtop


Print 29 comment(s) - last by CZroe.. on Jul 31 at 6:19 PM


Lookout security executives presented at the Black Hat conference in Las Vegas their discovery that a popular Android app stole user info.  (Source: VentureBeat)

Millions of users expected My Little Pony and other wallpapers, but ended up getting their passwords stolen.  (Source: Mike to the Max)
Personal information may be exploited for nefarious purposes

If you download Jackeey Wallpaper from Google's Android Market for your smartphone, you might want to start worrying just about now.  The popular app has been exposed as potentially being a piece of malware designed to steal your personal info and send it to China.

John Hering, chief executive, and Kevin MaHaffey, chief technology officer at Lookout, a mobile security firm, revealed the stunning news at their presentation at the Black Hat security conference in Las Vegas today.  States MaHaffey, "Even good apps can be modified to turn bad after a lot of people download it.  Users absolutely have to pay attention to what they download. And developers have to be responsible about the data that they collect and how they use it."

Jackeey Wallpaper was downloaded millions of times (between 1.1 million and 4.6 million to be precise).  It offers popular wallpapers, such as My Little Pony and 
Star Wars.  Other apps by developer iceskysl@1sters are also collecting similar info.

The app collects your phone’s SIM card number, subscriber identification, and even your voicemail password and sends it to www.imnet.us -- a website owned by someone in Shenzhen, China.

The app warns when attempting to access your "phone info", but many users have reportedly ignored this vague warning.  At least Android has 
some warning on its approved apps though -- there's no warning on approved apps trying to access your private data on the iPhone/iPad.  Users can disable apps ability to access personal data in their Apple device's settings manually, though.

Lookout has studied over 100,000 Apple and Android apps and has found that 47 percent of Android apps and 23 percent of iPhone apps collect some sort of user information.  Some uses appear to be not directly malicious, such as collecting location information to target ads.

The security firm says that Apple and Google are doing a good job policing overtly malicious apps, but that they're having trouble handling apps who behave in a strange, but unclear fashion.  For example no one knows yet whether the Jackeey Wallpaper app did anything malicious with users' voicemail passwords.

App security issues came in to sharp focus over the last month when at least hundreds of iTunes accounts were hacked and app and in-app purchases racked up as much as $1,000 on some users accounts.  Apple was unsympathetic about the incident, suggesting users resolve it with their credit card companies.  Some of the companies didn't even have iPhones, but Apple apparently does not consider this when allowing app purchases.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: iPhone info
By TheHarvester on 7/29/2010 4:21:39 PM , Rating: 2
Question-- I realize that Apple's app store provides some additional oversight (some might argue draconian oversight) to the apps that is supplies to users. Google, I understand, does not provide this same oversight. On either device, when you install a new app, it tells you what it is requesting permission to access. Is it possible, however, that among all the various iPhone apps there are apps that have code that harvests information and sends it to China? Is Apple really going line by line with the code to figure out if anything is being used in this way? I know they look at the basic functionality of the App and generally what it does, but it seems to me they can't REALLY know exactly what the iPhone apps are doing with all the information... I mean, an app that has to have access to your location to function could be sending that to China as well, right?


RE: iPhone info
By kmmatney on 7/29/2010 4:47:36 PM , Rating: 2
I'm guessig that since you have to use the Apple API, they can proibably easily check if a program is trying to get personal information, like voicemail passwords, location info, etc...
The location functions I'm not so worried about = its the other personal information, such as passwords and contacts that is a big issue.


RE: iPhone info
By Tony Swash on 7/29/2010 7:57:17 PM , Rating: 1
quote:
Is it possible, however, that among all the various iPhone apps there are apps that have code that harvests information and sends it to China? Is Apple really going line by line with the code to figure out if anything is being used in this way? I know they look at the basic functionality of the App and generally what it does, but it seems to me they can't REALLY know exactly what the iPhone apps are doing with all the information... I mean, an app that has to have access to your location to function could be sending that to China as well, right?


Weak.

So many "what ifs", "its possible"

A system that tries to check the functionality of apps for among things malicious content before those apps go public is surely by definition less likely to distribute malware than one that doesn't.

The Apple App Store model has pros and cons as does the Google model. Customers should have the information available so that they can make an informed choice.

Apple is betting (correctly in my opinion) that after the fiasco of Windows insecurity over the last decade or so that most consumers want safety rather than some elusive notion of openness. Some people will of course much prefer the Google model and accept the calculated risks as being out weighed by the the perceived benefits of the Google model.

That's why its good if both the iPhone and Android both thrive and thus offer the consumer a choice.


"It looks like the iPhone 4 might be their Vista, and I'm okay with that." -- Microsoft COO Kevin Turner














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki