Another rogue app stealing data, security firm reports [updated]

Bad Wallpaper App

Update 2: We've heard back from the developer of these apps, who tells us the following:

"What the ceo [sic] of Lookout said  makes no sense. I will email you with details later."

We await the details. In the meantime, be aware that the developer listed on the suspect wallpaper apps has been changed to callmejack. We're still diving into this one. But for the time being, we recommend not installing these apps.

Original: Before we start, grab your phone and your computer and hit this link: Android apps by jakeey, wallpaper.  If you have any of these applications on your Android phone, uninstall them.

We'll wait.

Now you ask why did we recommend (nay, demand!) you uninstall any of those apps?  Lookout says that one or more of these apps are stealing your data and sending it to an unknown person or persons in China.  Yup, innocent looking wallpaper apps.  According to Lookout, the app(s) in question are collecting:

  • browsing history
  • text messages
  • your SIM card data
  • subscriber ID
  • voicemail password (if it's set to be entered automatically)

Look for Google to pull these soon, as they potentially affect at least 1.1 million users, but for now remember to read what an app can do when you install it. That's that screen you ignore every time you install an app. The one that tells you what system permissions the app has access to. If, say, a calculator wants to see your contacts list, think twice.

It's worth reminding that Android is the only OS that gives you these sort of warnings. And before any Apple fanatics get too cocky, at least these apps aren't stealing money from your Google checkout account.  We're keeping a close eye on this one, you'll hear more as it unfolds.  [Mobile Beat via 9 to 5 Mac]

Update: Lookout got back to us during the overnight to clarify a few things as reported in the Mobile Beat story. They're not going quite so far as to call the app "malicious," but questions remain. Read Lookout's e-mail to us after the break. We've e-mailed the apps' developer for further explanation.

Hi Jerry,

I wanted to reach out to you regarding the wallpaper app we recently discussed at Blackhat to clarify a few things.

Specifically, the wallpaper applications we analyzed proved to send several pieces of sensitive data to a server, including a device's phone number, subscriber identifier, and currently programmed voicemail number. The applications we analyzed did not access a device's SMS messages, browsing history, or voicemail password (unless a user manually programmed the voicemail number on the device to include the voicemail password).

Also, it's important to note that the applications were estimated by androidlib to have between 1 and 4 million downloads (not necessarily the same thing as 1-4 million users).

Finally, while the data the wallpaper apps are accessing are certainly suspicious coming from wallpaper apps, we're not saying that these applications are malicious. There have been cases in the past where applications are simply a little overzealous in their data gathering practices, but not because of any ill intent.

I'm happy to answer any more questions you have.

Thanks,

Kevin

Kevin Mahaffey

Founder, CTO

Lookout, Inc.

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Threads.