Slashdot Mirror
Android Data Stealing App Downloaded By Millions
wisebabo writes "A wallpaper utility (that presents purloined copyrighted material) 'quietly collects personal information such as SIM card numbers, text messages, subscriber identification, and voicemail passwords. The data is then sent to www.imnet.us, a site that hails from Shenzen, China.'"
I'm going back to winmo where it's "Safe!"
My abilities are only limited by my imagination
A wallpaper APP? Why would you need an app? It can't just display a jpg as wallpaper?
Free Martian Whores!
This is a very good reason to run Droidwall. However, the bad news is that Android apps are going to a model where they ping one of Google's servers to check if they are licensed for that user. Of course, Droidwall can be updated to allow any apps to connect to that server farm's IP address range even if they are disallowed from anywhere else, but that may take some programming.
Droidwall also requires root access.
According to this [http://phandroid.com/2010/07/29/another-app-stealing-data/].
"Your voicemail's password is also not transmitted unless you included the password in your phone's voicemail number field."
It is by my will alone my thoughts acquire motion; it is by the juice of the coffee bean that the thoughts acquire speed
What was the NAME of this evil app? Neither TFS nor TFA bother to tell us that. We got the Dev Name which is almost as good, but geez.
God help anybody who used facebook and this app... there's every chance they will get home tonight and find an imposter in bed with their wife.
This is one good reason to have a unified app service, where all the apps are first vetted before they are released. I think mozilla's addon collection is a good model to follow.
I am surprised, shocked, and dismayed to see a fine journalistic source such as Slashdot stoop to yellow journalism, as it were. There is absolutely nothing suspicious about the origin of the website being being in Shenzen, China and the summary's implication of this is absolutely untoward. I expect a full apology posted immediately, then duped again tomorrow.
A NYC lawyer blogs. http://www.chuangblog.com/
Well, part of the news here is the comparison to Apple's heavily-controlled store model. Would this have happened on the iPhone? Would the app have even been approved?
Even if they're told exactly what the app will have access to, people will click through anything.
No, you don't need the name in order to avoid it, but it might be useful, I dunno, to see if one already HAS it.
Just sayin'.
Update from TFA:
Update: Lookout notes it does not capture browsing history and text messages: It collects your browsing history, text messages, your phone’s SIM card number, subscriber identification, and even your voicemail password, as long as it is programmed automatically into your phone.
Looks like it doesn't collect browsing history and text messages after all.
When I read TFA, I saw the part where 47% of Droid apps use third party coding, and 23% of Apple apps also use it. Then I realized, there's no safe place to hide. I like my walled garden, but even that has leaks.
Here's to hot beer, cold women, and Glaswegian kisses for all.
This is sort of like the early days of MS-DOS, back when everyone trusted everything they downloaded.
Although Android apps do run in a security "sandbox" whereby they can't access the user space of other apps (see http://developer.android.com/guide/topics/security/security.html for more information), they can and do access the general configuration information of the phone such as personal data, phone calls, and SIM information, and some apps obviously need to use the phone's dialup or networking capabilities.
At install time, the user is shown a list of resources the app will access, but since most apps need at least some resources on the device to be useful, we are all in the habit of just clicking past this screen and installing, and then hoping the app is not malevolent in some way.
I think there needs to be some sort of sandbox where apps can reside prior to full release into the wild. Probably, most users won't understand how to use such a feature, but knowledgeable users would make use of it, and ultimately it would help promulgate security concepts into the general consciousness. Power users who write reviews and prominent blog pieces on Android will be able to help guide the masses to safer use of apps.
it's = "it is"; its = possessive. E.g., it's flapping its wings.
As we've seen from the "colored flashlight app that's really a tethering app," I don't know why people are still putting their trust in Apple's "approval" process as far as safety is concerned. They obviously don't check the code behind an app -- today it's a tethering app, tomorrow it's one that's sending your data to China (if it doesn't already exist, and I'd be surprised if it didn't).
It is by my will alone my thoughts acquire motion; it is by the juice of the coffee bean that the thoughts acquire speed
"Nobody has it in use. Once they discovered it, millions of Google security researchers downloaded it
to run sandboxed or on AVDs." - Google Spokesperson
None of those apps stole data from people's phones. Instead, they artificially voted one another up to generate sales, and users' iTunes accounts were hacked. That's obviously still a grievous security failure, but it's server-side, and has nothing to do with the app store's approval process.
The apps (or rather, the Android Market) told you at install-time that they wanted access to your Google accounts. Anyone who didn't back out on seeing that... well, I wouldn't say "deserves what they get", but I will say "was adequately forewarned".
Instead, I have to say 'the droid is known to have data stealing apps and no I can't tell you which ones suck ass, just get yourself an iPhone so apple can protect you, its far easier on all of us'
What the fuck is wrong with you?
You imply that you're tech-savvy and then in the same post assume Apple will protect them? Sneaking code by Apple is completely impossible! Oh wait...
Apple is doing an equally bad job of protecting its ecosystem.
There have been several customer-data-grabbing iPhone apps, and these have only been yanked after members of the public alerted Apple to them.
Pinchmedia: http://i-phone-home.blogspot.com/2009/07/pinchmedia-anatomy-of-spyware-vendor.html
Storm8: http://www.sfgate.com/cgi-bin/blogs/ybenjamin/detail??blogid=150&entry_id=51077
MogoRoad: http://www.theregister.co.uk/2009/09/30/iphone_security/
Smuggling tethering past the censors: http://top10.com/mobilephones/news/2010/07/app_smuggles_tethering_onto_iphone/
Apple don't look at the source code of apps, they just test the binary and scan it for badness.
Provided the binary encrypts its strings, and does nothing dodgy during the short testing window (less than two weeks), Apple approve it.
Apple's custodianship doesn't protect you from determined data thieves, only the incompetent ones.
Android market, while just as bad as Apple, at least gives you the opportunity to decide if you want an app based on what permissions it demands. If it demands too much, you reject it. Once you give it the "OK", it can't turn around and demand more. I'd prefer that Apple added that (telling you what permissions the code has, not letting it have more), even if they keep their approval process.
Does my bum look big in this?
The tethering app wasn't discovered because it was extremely difficult to trigger - it required very specific network settings, a multi-step setup process, and tapping different colors in a specific pattern just to enable the tether. Very different from discovering an app is sending your data off wholesale.
The hidden tethering app is only going to be discovered via thorough code decompilation and analysis. Sending chunks of data to a random server for no appreciable purpose can be found easily via tcpdump.
I don't know what kind of crack I was on, but I suspect it was decaf.
Such reporting wasn't disallowed until very recently. There was a very good reason for it as well - developers then got that data back so they could tell how many people were still on old OS versions, what the uptake was on a new OS, and could plan their features and releases accordingly.
The only reason Apple got upset is it revealed prototype OS versions in their lab as a side effect.
I don't know what kind of crack I was on, but I suspect it was decaf.
What malicious apps have gotten through Apple's approval process? I'm open to any links you may have. Don't bother linking to the guy who hacked into iTunes accounts and used them to buy his otherwise legitimate app -- the app itself was not malicious, so there's no reason to blame the approval process for the incident.
You say "tethering apps" as if that's a bad thing. The app didn't steal any data, or use any APIs that could reveal the user's personal data. Apple checks all submissions against their list of approved APIs... an app that steals personal data would have to use unapproved or custom APIs and would therefore be rejected from the app store.
I'm not saying Apple's approval process is perfect, but it *is* set up to catch malicious data-stealing apps.
The approval process didn't do any good when data was stolen from Apple users a month or two ago. A bunch of people were charged for apps they never bought, and several apps were removed from the app store, but a full explanation from Apple was never offered.
So I guess you think that it's totally irrelevant that a) the stolen data had nothing to do with the app approval process, and b) the data was not stolen by the approved apps?
Yeah, let's blame the approval process for something to which it is completely unrelated. *eye roll*
These wallpaper apps cannot access your contact's phone numbers, SMS messages or personal information.
Check out the manifest permissions on the apps in question. It is the last item that is the problem.
!Storage
modify Delete
!Your location
coarse (network-based) location
!Network communication
full Internet access
!Phone calls
read phone state and identity
The permission only allow the app to read the IMEI number of your phone (your hardware's unique identifying number), your phone number, and your currently programmed voice-mail number. If you hard coded your voice-mail password as part of your voice-mail number, then they have that too.
They shouldn't be stealing this info, and Google should separate "read phone state" from "read identity", but the stories on this app stating that your SMS's, contacts and grandmother's girdle being stolen and sent to China just plain wrong.
you apparently missed the comments in the threads above; things have still snuck by the apple store folk. the only real way to catch this stuff is be conscious of what you're installing, and report suspicious items.
from user -kyz:
Apple is doing an equally bad job of protecting its ecosystem.
There have been several customer-data-grabbing iPhone apps, and these have only been yanked after members of the public alerted Apple to them.
Pinchmedia: http://i-phone-home.blogspot.com/2009/07/pinchmedia-anatomy-of-spyware-vendor.html
Storm8: http://www.sfgate.com/cgi-bin/blogs/ybenjamin/detail??blogid=150&entry_id=51077
MogoRoad: http://www.theregister.co.uk/2009/09/30/iphone_security/
Smuggling tethering past the censors: http://top10.com/mobilephones/news/2010/07/app_smuggles_tethering_onto_iphone/
the moral of the story is, it doesn't matter if it's closed or open-source. the end user is still the difference maker.
Read the paper by Nick Seriot to see what iPhone apps can do without users being aware of it. And given that iPhone apps can be obfuscated to avoid automatic analysis by Apple, the real question is, how many apps are on the app store that steal your data without anyone knowing about it? Bear in mind that this report is here because Android apps tell you what they can do when you install them. All this company did was grep the market for apps that seemed to request more permissions than they should for their category.