Slashdot Mirror

← Back to Stories (view on slashdot.org)

Android Data Stealing App Downloaded By Millions

Posted by CmdrTaco on from the nobody-is-safe dept.

wisebabo writes "A wallpaper utility (that presents purloined copyrighted material) 'quietly collects personal information such as SIM card numbers, text messages, subscriber identification, and voicemail passwords. The data is then sent to www.imnet.us, a site that hails from Shenzen, China.'"

30 of 335 comments (clear)

  1. Thats it! by socz · · Score: 3, Funny

    I'm going back to winmo where it's "Safe!"

    --
    My abilities are only limited by my imagination
    1. Re:Thats it! by socz · · Score: 4, Funny

      Of course it happens to any platform that you can install/patch/hack on. A lot of people don't even install anything on their winmo phones because its a hassle, yet on iP and droid, it's as easy as pie! But anyone who thinks they're safe is a fool... because unless you compile your own compiler...

      --
      My abilities are only limited by my imagination
    2. Re:Thats it! by mark72005 · · Score: 4, Funny

      I am anxiously awaiting the safety and security of Windows Phone 7

    3. Re:Thats it! by Dishevel · · Score: 4, Funny

      and write your own compiler.

      --
      Why is it so hard to only have politicians for a few years, then have them go away?
    4. Re:Thats it! by brasselv · · Score: 3, Funny

      and run it on hardware you designed and manufactured yourself

      --
      "Whenever people agree with me I always feel I must be wrong." (Oscar Wilde)
  2. I'm confused... by mcgrew · · Score: 4, Insightful

    A wallpaper APP? Why would you need an app? It can't just display a jpg as wallpaper?

    --
    Free Martian Whores!
    1. Re:I'm confused... by socz · · Score: 3, Informative
      This is what confuses me:

      The wallpaper app asks for permission to access your “phone calls,” but that isn’t necessarily a clear warning.

      When I started learning android, one of the first programs I made was literally just text and a color background right... and it still asked for permission for calls! I was like hrm, maybe I got a tampered with version of the SDK? But that is why I'm just like *shrugs it off* when I see wall paper apps request phone call access. Now, I don't download wall paper apps lol but, I can see why those who did shrugged it off as well. This is probably something that google needs to explain better, or I need to learn better, or things need to be changed.

      --
      My abilities are only limited by my imagination
    2. Re:I'm confused... by brainboyz · · Score: 4, Informative

      Your manifest file is wrong. You request a list of permissions that your app is then allowed to use, but requesting them does not mean you used it. You probably have PROCESS_OUTGOING_CALLS or CALL_PHONE listed unnecessarily.

    3. Re:I'm confused... by jeffmeden · · Score: 4, Informative

      honestly, i think that you did something wrong with your test app. there are tons of highly intricate apps that do not request permission to make calls. now, if your app wanted to go to the background when a call came and relaunch when the call is over that's something different. however, that permission is "read phone state" which does not sound the same at all.

      Yes, "read phone state" sounds totally different than "make phone calls" or whatever the exact verbage is... /sarcasm

      Cellphones went mainstream about 10 years ago, and even smartphones like those based on Android are very common. This means they are in the market where you need it to be so simple that someone with a barely functioning grasp of English could figure it out.

      To software engineers, there might be a difference between "read phone state" and "make phone calls" but to a layperson there really isn't. You really need to look at it with the "would it work in a car" mentality: is it simple enough to be put into a car and be figured out by anyone with a mild amount of training in "not crashing"? Hint: "turn key to start" is good, an arrow indicating which way to turn it is better, and "please select from the available options: Activate engine controls. Activate engine starter motor. Activate seat belt latch." is NOT going to go over well.

      All this nonsense about "well the user was advised that SIM activity could be perturbed by the inclusion of application permission" as an excuse for a poorly implemented security platform needs to be thrown out the window unless you want Android to turn into Windows Mobile 6 in a matter of months while security and usability problems fly out of the woodwork and people flock to a different platform without such headaches.

    4. Re:I'm confused... by socz · · Score: 3, Insightful

      Well, what was interesting *to me* was that when I sent the program to the emulator, i left it blank! So I hadn't even made any changes to the default and it was asking for permission. In my mind, if it does nothing, why does it need access?

      --
      My abilities are only limited by my imagination
    5. Re:I'm confused... by arth1 · · Score: 3, Interesting

      Wallpapers aren't just static images.

      The wallpaper I have here, changes colour depending on the time of day.
      You can even show a view adjusted for the weather where you are.

    6. Re:I'm confused... by disambiguated · · Score: 3, Interesting

      Yes that is exactly how it works. You specify which permissions your app needs in the xml manifest. These permissions are displayed to the user. If your app attempts to use an API which requires permissions not specified in the manifest, the app gets a security exception. It doesn't rely on the developer being honest.

  3. Not SMS history or voicemail passwords by mdm-adph · · Score: 3, Informative

    According to this [http://phandroid.com/2010/07/29/another-app-stealing-data/].

    "Your voicemail's password is also not transmitted unless you included the password in your phone's voicemail number field."

    --
    It is by my will alone my thoughts acquire motion; it is by the juice of the coffee bean that the thoughts acquire speed
  4. WHAT app? by geminidomino · · Score: 5, Informative

    What was the NAME of this evil app? Neither TFS nor TFA bother to tell us that. We got the Dev Name which is almost as good, but geez.

    1. Re:WHAT app? by black_lbi · · Score: 5, Informative

      It's not just one single app ... all apps from Jackeey Wallpaper
      http://www.androidzoom.com/android_developer/jackeeywallpaper_bofz.html

  5. Face off? by notaspunkymonkey · · Score: 4, Funny

    God help anybody who used facebook and this app... there's every chance they will get home tonight and find an imposter in bed with their wife.

    1. Re:Face off? by jsnipy · · Score: 3, Funny

      the Chinese accent would be a tipoff :)

      --
      -- if you mod me down, I will become more powerful than you can possibly imagine
  6. Unfortunately by wraithguard01 · · Score: 4, Insightful

    This is one good reason to have a unified app service, where all the apps are first vetted before they are released. I think mozilla's addon collection is a good model to follow.

    1. Re:Unfortunately by AndrewNeo · · Score: 4, Insightful

      Excuse me? I somehow doubt you've ever submitted an addon to Mozilla before. I have, and a real person does indeed check your code.

      From the Editor's Guide:

      Every line of add-on code must be reviewed. The code validator can't detect all possible security or code quality issues, so we must always be in the lookout for bad code.

    2. Re:Unfortunately by diamondsw · · Score: 4, Insightful

      Amazing what a gets a +5 Informative these days. Adding links?

      The first example was due to a developer "hacking" accounts (i.e., guessing passwords).
      The second example is the same story as the first, from a different source.
      The final example is the only one that holds any water. And that allowing crap apps through, not malicious ones.

      --
      I don't know what kind of crack I was on, but I suspect it was decaf.
  7. Implied Racism! by darkmeridian · · Score: 4, Funny

    I am surprised, shocked, and dismayed to see a fine journalistic source such as Slashdot stoop to yellow journalism, as it were. There is absolutely nothing suspicious about the origin of the website being being in Shenzen, China and the summary's implication of this is absolutely untoward. I expect a full apology posted immediately, then duped again tomorrow.

    --
    A NYC lawyer blogs. http://www.chuangblog.com/
  8. People will click through anything by Coopjust · · Score: 5, Insightful

    Even if they're told exactly what the app will have access to, people will click through anything.

  9. I was going to troll, but... by Xaedalus · · Score: 3, Insightful

    When I read TFA, I saw the part where 47% of Droid apps use third party coding, and 23% of Apple apps also use it. Then I realized, there's no safe place to hide. I like my walled garden, but even that has leaks.

    --
    Here's to hot beer, cold women, and Glaswegian kisses for all.
  10. Android needs a sandbox. by yog · · Score: 4, Informative

    This is sort of like the early days of MS-DOS, back when everyone trusted everything they downloaded.

    Although Android apps do run in a security "sandbox" whereby they can't access the user space of other apps (see http://developer.android.com/guide/topics/security/security.html for more information), they can and do access the general configuration information of the phone such as personal data, phone calls, and SIM information, and some apps obviously need to use the phone's dialup or networking capabilities.

    At install time, the user is shown a list of resources the app will access, but since most apps need at least some resources on the device to be useful, we are all in the habit of just clicking past this screen and installing, and then hoping the app is not malevolent in some way.

    I think there needs to be some sort of sandbox where apps can reside prior to full release into the wild. Probably, most users won't understand how to use such a feature, but knowledgeable users would make use of it, and ultimately it would help promulgate security concepts into the general consciousness. Power users who write reviews and prominent blog pieces on Android will be able to help guide the masses to safer use of apps.

    --
    it's = "it is"; its = possessive. E.g., it's flapping its wings.
  11. Re:This is a job for Droidwall by abigor · · Score: 4, Insightful

    You mean they'd have to wait for approval by the App Store? An interesting proposal!

  12. Re:Developers Bitch by kyz · · Score: 5, Informative

    Apple is doing an equally bad job of protecting its ecosystem.

    There have been several customer-data-grabbing iPhone apps, and these have only been yanked after members of the public alerted Apple to them.

    Pinchmedia: http://i-phone-home.blogspot.com/2009/07/pinchmedia-anatomy-of-spyware-vendor.html

    Storm8: http://www.sfgate.com/cgi-bin/blogs/ybenjamin/detail??blogid=150&entry_id=51077

    MogoRoad: http://www.theregister.co.uk/2009/09/30/iphone_security/

    Smuggling tethering past the censors: http://top10.com/mobilephones/news/2010/07/app_smuggles_tethering_onto_iphone/

    Apple don't look at the source code of apps, they just test the binary and scan it for badness.

    Provided the binary encrypts its strings, and does nothing dodgy during the short testing window (less than two weeks), Apple approve it.

    Apple's custodianship doesn't protect you from determined data thieves, only the incompetent ones.

    Android market, while just as bad as Apple, at least gives you the opportunity to decide if you want an app based on what permissions it demands. If it demands too much, you reject it. Once you give it the "OK", it can't turn around and demand more. I'd prefer that Apple added that (telling you what permissions the code has, not letting it have more), even if they keep their approval process.

    --
    Does my bum look big in this?
  13. Re:This is a job for Droidwall by mlts · · Score: 4, Insightful

    There is the problem: People like you, me, and almost all Slashdot readers would click "no" if a generic fart app requires a slew of security privs (power, Net, access to SMS, access to contacts, ability to kill other apps, etc.), or even worse, prompted for root privs via su.

    However, the dancing bunny problem strikes here. Joe Sixpack will click "Install" to install a cool app, only to find all his contacts being spammed with "I need $900 ransom" notices, a sky high SMS bill because the app grabs a list of phone numbers and starts sending out text messages with ads on it, maybe even drained bank accounts if he left his banking info and passwords in the Web browser.

    I think Google made one mistake with Android, and that was assuming all users would be clued Linux types who know basic UNIX sanitation. I worry though, if there are more bad apples in the bunch that Android would be start being known as a hive for malware just because there is nothing stopping Joe Sixpack from installing a "pr0n viewer app" that reams his phone.

    I like the walled garden idea, with a way to hop out, that is foreboding to a nontechnical person, but for someone with half a clue, wouldn't pose a problem. For example, the "oem unlock" command with the N1 phones and the warning staying to say buh-bye to the phone's warranty if the user wants to continue. Something to make Joe Sixpack not want to do it and actually pass on watching the dancing bunnies.

  14. Re:Developers Bitch by diamondsw · · Score: 3, Insightful

    Such reporting wasn't disallowed until very recently. There was a very good reason for it as well - developers then got that data back so they could tell how many people were still on old OS versions, what the uptake was on a new OS, and could plan their features and releases accordingly.

    The only reason Apple got upset is it revealed prototype OS versions in their lab as a side effect.

    --
    I don't know what kind of crack I was on, but I suspect it was decaf.
  15. There is a lot of FUD in these stories by gotpoetry · · Score: 3, Interesting

    These wallpaper apps cannot access your contact's phone numbers, SMS messages or personal information.

    Check out the manifest permissions on the apps in question. It is the last item that is the problem.

    !Storage
    modify Delete

    !Your location
    coarse (network-based) location

    !Network communication
    full Internet access

    !Phone calls
    read phone state and identity

    The permission only allow the app to read the IMEI number of your phone (your hardware's unique identifying number), your phone number, and your currently programmed voice-mail number. If you hard coded your voice-mail password as part of your voice-mail number, then they have that too.

    They shouldn't be stealing this info, and Google should separate "read phone state" from "read identity", but the stories on this app stating that your SMS's, contacts and grandmother's girdle being stolen and sent to China just plain wrong.

  16. Re:Gee, if only... by DeskLazer · · Score: 3, Insightful

    you apparently missed the comments in the threads above; things have still snuck by the apple store folk. the only real way to catch this stuff is be conscious of what you're installing, and report suspicious items.

    from user -kyz:
    Apple is doing an equally bad job of protecting its ecosystem.

    There have been several customer-data-grabbing iPhone apps, and these have only been yanked after members of the public alerted Apple to them.

    Pinchmedia: http://i-phone-home.blogspot.com/2009/07/pinchmedia-anatomy-of-spyware-vendor.html

    Storm8: http://www.sfgate.com/cgi-bin/blogs/ybenjamin/detail??blogid=150&entry_id=51077

    MogoRoad: http://www.theregister.co.uk/2009/09/30/iphone_security/

    Smuggling tethering past the censors: http://top10.com/mobilephones/news/2010/07/app_smuggles_tethering_onto_iphone/

    the moral of the story is, it doesn't matter if it's closed or open-source. the end user is still the difference maker.