or Connect
AppleInsider › Forums › Mobile › iPhone › Millions of Android users hit by malicious data theft app
New Posts  All Forums:Forum Nav:

Millions of Android users hit by malicious data theft app

post #1 of 211
Thread Starter 
An app distributed by Google's Android Market has collected private data from millions of users and forwarded it to servers China, validating Apple's uniquely strong stance on mobile security in the iPhone App Store.

The exploit, tied to an app that appeared to simply load free custom background wallpapers, was downloaded "anywhere from 1.1 million to 4.6 million times. The exact number isnt known because the Android Market doesnt offer precise data," according to a report by Dean Takahashi of VentureBeat.

The app "collects a users browsing history, text messages, your phones SIM card number, subscriber identification, and even your voice mail password. It sends the data to a web site, www.imnet.us. That site is evidently owned by someone in Shenzhen, China," the report noted (see the update by Lookout below).

The data upload was only discovered afterward, through forensics performed by mobile security firm named Lookout which sells virus and malware protection software for Android, Windows Mobile and BlackBerry devices. The problem was announced at the Black Hat security conference being held in Las Vegas.

(Update: Lookout has clarified in followup comments with AppleInsider that the intent of their "App Genome Project" research was to "identify security threats in the wild and provide insight into how applications are accessing personal data and other phone resources."

The group noted that the Android wallpaper app was "not proven to be malicious," but that the app does "ask the user for specific information around the phone details and that information is transferred to a server [in China]."

Correcting the original VentureBeat story, Lookout stated that "the apps from these developers send several pieces of sensitive data to a server, including a devices phone number, subscriber identifier, and currently programmed voicemail number. The applications we analyzed did not access a devices SMS messages, browsing history, or voicemail password (unless a user manually programmed the voicemail number on the device to include the voicemail password)."

Lookout also reiterated there is "no proof of malicious intent and in the past apps have been a bit overzealous in getting access to sensitive data with no ill intent." Lookout compared the Android wallpaper app copying local data to a Chinese server with a recent App Store title that purported to be a flashlight app while actually including a hidden SOCKS proxy that could be used for tethering.

Lookout added that it hasn't "yet" published a report detailing the Android wallpaper app, suggesting that it is continuing to look at the situation.)

Mobile data theft on the increase

The issue recalls a recent AT&T website leak that could hypothetically have enabled a malicious hacker to access 144 thousand of iPad 3G user's email addresses.

However, the Android app data theft was actually perpetrated by malicious hackers and not just demonstrated by researchers; it involves far more sensitive data; and affected far more victims--by more than an order of magnitude.

iOS vs Android in app security

Apps on any platform can access personal data and forward that data to an external server, but the Lookout research found that 47 percent of the selection of Android apps it looked at incorporated third party code (which may include malicious functions), while only 23 percent of analyzed iPhone apps did.

Apple also approves iOS apps through a strict vetting process before listing them in the App Store, while Google's Android Market app security involves simply warning the user that an app needs permissions to perform certain functions during the install.

Unlike other mobile platforms secured by Lookout, Apple's iOS platform doesn't have a live virus problem because third party iPhone apps can only be distributed through Apple's curated App Store, and apps are forced to run in a segregated sandbox environment where they can't infect the system. That doesn't necessarily mean iOS apps can't forward user data inappropriately however; Apple has discovered and pulled apps that have violated its privacy policies.

Apps must also be signed by a certificate created by Apple, which makes it much harder for malicious developers to anonymously distribute software designed to cause problems or steal data. Apple's security measures also make such efforts less attractive financially, despite the iOS platform's installed base being much larger than Android's.

Exploitable vulnerabilities in the iOS platform have been reported elsewhere, including the Safari browser, but crafting a malicious attack via the browser requires luring users to a malicious site rather than simply distributing a bad app that appears to be useful and genuine.

Lookout chief executive John Hering said in the report that "he believes both Google and Apple are on top of policing their app stores, particularly when there are known malware problems with apps," but the report noted it's "unclear what happens" when apps don't actually do what they represent.
post #2 of 211
Androiders gonna need one of these. Ewwwwww.
2011 13" 2.3 MBP, 2006 15" 2.16 MBP, iPhone 4, iPod Shuffle, AEBS, AppleTV2 with XBMC.
Reply
2011 13" 2.3 MBP, 2006 15" 2.16 MBP, iPhone 4, iPod Shuffle, AEBS, AppleTV2 with XBMC.
Reply
post #3 of 211
Enjoy your "open" market, Android users.
post #4 of 211
I love the (Walled Garden)
post #5 of 211
Soon Android users would need to install data protection app as a standard procedure much like Anti-Virus software in Windows system.
post #6 of 211
Apple on the money when saying Jailbreaking wiil lead to piracy, viruses, and cause the IPHONE to lose its SECURE environment.
Sure some people find jailbreaking an advantage. But lets think about all the downside as well.
post #7 of 211
Quote:
Originally Posted by MarkMS View Post

Enjoy your "open" market, Android users.

Now now, Apple also let a major bank publish an app that saved your private banking info, so it's not all great over on Apple's side either. How did that get past the Apple secret police?
post #8 of 211
Quote:
Originally Posted by ghostface147 View Post

Now now, Apple also let a major bank publish an app that saved your private banking info, so it's not all great over on Apple's side either. How did that get past the Apple secret police?

It saved banking data IN the bank app itself IN the iPhone. Not sending the data to Some hacker in China. Big difference.
post #9 of 211
Wait wait wait one damn second. You're trying to tell me that an 'open', unregulated, app store might have malicious apps on it from China? And these apps would collect personal and private data then transmit it to China? NO FREAKING WAY. Google has always been known for protecting user data and sees protecting it's customers as a priority. Android is simply the safest phone OS on the market! <insert sarcastic wit here> This while story comes as no surprise.... <rolls eyes>
post #10 of 211
waiting for the flood of "freedom fighters" to arrive...
"We're Apple. We don't wear suits. We don't even own suits."
Reply
"We're Apple. We don't wear suits. We don't even own suits."
Reply
post #11 of 211
Love to see the fandroids response to this...
post #12 of 211
Quote:
Originally Posted by AppleInsider View Post

The exploit, tied to an app that appeared to simply load free custom background wallpapers, was downloaded "anywhere from 1.1 million to 4.6 million times. The exact number isn’t known because the Android Market doesn’t offer precise data," according to a report by Dean Takahashi of VentureBeat.

The app "collects a user’s browsing history, text messages, your phone’s SIM card number, subscriber identification, and even your voice mail password. It sends the data to a web site, www.imnet.us. That site is evidently owned by someone in Shenzhen, China," the report noted.

I wonder if any EFF members downloaded the pretty wallpaper onto their android phones.
post #13 of 211
Quote:
Originally Posted by FormerARSgm View Post

Wait wait wait one damn second. You're trying to tell me that an 'open', unregulated, app store might have malicious apps on it from China? And these apps would collect personal and private data then transmit it to China? NO FREAKING WAY. Google has always been known for protecting user data and sees protecting it's customers as a priority. Android is simply the safest phone OS on the market! <insert sarcastic wit here> This while story comes as no surprise.... <rolls eyes>

OH NO YOU DIDN'T!!!!!!!!!!!!!!!!!!!!!!!

LOL!!!!!!!!!!!!!
Good god!
post #14 of 211
See Apple told you so!

For those the jailbreak their iPhones they are more likely to get played by malware writers. Now that it is legal to jailbreak I'm sure more people will do it. We may even see a lawsuit from jailbroken iPhone users claiming Apple didn't protect them enough.
post #15 of 211
Quote:
Originally Posted by BUSHMAN4 View Post

Apple on the money when saying Jailbreaking wiil lead to piracy, viruses, and cause the IPHONE to lose its SECURE environment.
Sure some people find jailbreaking an advantage. But lets think about all the downside as well.

From my encounters, the main reason people jailbreak is to get on T-Mobile and away from AT&T. Then they can tether and do all kinds of things AT&T doesn't like. Get the iPhone on T-Mobile and many will stop jailbreaking as it wouldn't be worth it then.
post #16 of 211
Ha ha!!!!!!
Eric Shmidt tried his damnedest to derail Apple by lauding the so-called freedom of OPEN SOURCE in contrast to Apple's so-called draconian(whatever Eric) app acceptance practice. Not that anything is wrong with open source per se but we all know Eric was trying to win over people. This is what we all knew was going to happen. Did you not see the writing on the walls?
There are too many fu***** people thinking Apple is some dumb country bumpkin outfit. THEY AIN'T!!!!!!!
Apple is a world class, and I stress world class, technology company.
Job is surrounded by the best and brightest. He gets his information form the source, He knows what the hell he's talking about. The problem is the rest of the industry doesn't want YOU to know the truth. Sh** happens!!!!!
post #17 of 211
Quote:
Originally Posted by sennen View Post

waiting for the flood of "freedom fighters" to arrive...

Be patient. It takes some time to make sure one's personal data has not been stolen and exploited, and then it takes more time to come up with a rationalization or some way of muddying the waters so that the whole setup of the Android Market bears no blame.
post #18 of 211
Millions affected. Not a single one complains. And no lawsuits! And yet some of these Android users (who don't even own an iPhone 4) are constantly finding a new thing about the iPhone to carp about.
post #19 of 211
post #20 of 211
"The exact number isnt known because the Android Market doesnt offer precise data"

How do they correctly compensate developers then?
post #21 of 211
No Jacket Required...but you better wear a condom
post #22 of 211
Quote:
Originally Posted by nvidia2008 View Post

Love to see the fandroids response to this...

I’m looking forward to the counterargument. I can’t think of a single angle that is pro-Android on this one.


Quote:
Originally Posted by peter02l View Post

Millions affected. Not a single one complains. And no lawsuits! And yet some of these Android users (who don't even own an iPhone 4) are constantly finding a new thing about the iPhone to carp about.

It is amazing that one modern mobile OS gets denigrate for even the simplest slip up and the other modern mobile OS can make huge errors in design that are well known to fail and barely anyone will ever know it existed despite the number of people it affects.
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
post #23 of 211
Press conference!!! And free bumpers for everybody!!!
post #24 of 211
Quote:
Originally Posted by donarb View Post

Press conference!!! And free bumpers for everybody!!!

how about free iPhone 4s for Android users who downloaded this crap?
post #25 of 211
It's strangely quite on this thread ... no DaHarder ... no Ireland .... no extreme (altho' sometimes he actually says something worthwhile) .... no 8CoreWhore. NO TROLLS!

So this is what paradise feels like. Enjoy it while we can .... they'll all be back soon.
See, in the record business, you can show someone your song, and they don’t copy it. In the tech business, you show somebody your idea, and they steal it. (Jimmy Iovine)
Reply
See, in the record business, you can show someone your song, and they don’t copy it. In the tech business, you show somebody your idea, and they steal it. (Jimmy Iovine)
Reply
post #26 of 211
Quote:
Originally Posted by newbee View Post

no extreme (altho' sometimes he actually says something worthwhile) ...

I no longer see Extreme as trolling. All the posts from him that I’ve read, for months now (at least), have been thoughtful and balanced.
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
post #27 of 211
Android. The new "Windows" for the mobile environment. Time to start including even more crapware like anti-malware, anti-virus, anti-everything just like its Windows counterpart.
post #28 of 211
No issues with the 3 Android phones and two Android tablets in my home, but the spouse's iPhone 4 appears to be dropping calls a bit more than usual today (as indicated by her angrily exclaiming as much upon walking through the door this evening), and the old iPhone 3g didn't take too kindly to that last firmware update.

Oh Well... I guess we're just Android-Lucky
"Why iPhone"... Hmmm?
Reply
"Why iPhone"... Hmmm?
Reply
post #29 of 211
Quote:
Originally Posted by DaHarder View Post

No issues with the 3 Android phones and two Android tablets in my home, but the spouse's iPhone 4 appears to be dropping calls a bit more than usual today (as indicated by her angrily exclaiming as much upon walking through the door this evening), and the old iPhone 3g didn't take too kindly to that last firmware update.

Oh Well... I guess we're just Android-Lucky


Enjoy your spyware
post #30 of 211
Quote:
Originally Posted by sflocal View Post

Android. The new "Windows" for the mobile environment. Time to start including even more crapware like anti-malware, anti-virus, anti-everything just like its Windows counterpart.

Don't forget the clueless who won't pick up on what you just said.

Nullis in verba -- "on the word of no one"

 

 

 

Reply

Nullis in verba -- "on the word of no one"

 

 

 

Reply
post #31 of 211
Quote:
Originally Posted by solipsism View Post

Im looking forward to the counterargument. I cant think of a single angle that is pro-Android on this one.



It is amazing that one modern mobile OS gets denigrate for even the simplest slip up and the other modern mobile OS can make huge errors in design that are well known to fail and barely anyone will ever know it existed despite the number of people it affects.


I think I know the argument Android fanboys will spout: "They should've checked the source code! It's their own fault they didn't. Noobs! I want Android to be mainstream but want it to remain exclusive to tech nerds as well! Just like Linux!" And yet, Apple users are called the elitists.

Seriously though, I feel bad for all the Android users (who aren't fanboys and most likely only use an Android because their network doesn't have an iPhone) whose information has been compromised in the name of OPEN.
post #32 of 211
Quote:
Originally Posted by dmsimmer View Post

No Jacket Required...but you better wear a condom

Motorola DROID X - No Jacket Required!

...but the hacker in China sure likes the $2,000 leather jacket he bought himself with your stolen CC number!
post #33 of 211
Quote:
Originally Posted by sflocal View Post

Android. The new "Windows" for the mobile environment. Time to start including even more crapware like anti-malware, anti-virus, anti-everything just like its Windows counterpart.

Well, they do love to bleat about how this is the Mac/PC wars all over. I guess they're trying to imitate the PC as much as possible, down to the insecurity of the platform and even the contempt its users have for it!
post #34 of 211
Quote:
Originally Posted by davesw View Post

unbelievable ROFL!

http://mobile.venturebeat.com/2010/0...d-by-millions/

"Hering said in a press conference afterward that he believes both Google and Apple are on top of policing their app stores, particularly when there are known malware problems with apps."

Unbelievable Indeed - Not!
"Why iPhone"... Hmmm?
Reply
"Why iPhone"... Hmmm?
Reply
post #35 of 211
Can anyone tell me how an application with Phone Info permission can read SMS's, history bookmarks, voice mail password?
post #36 of 211
Quote:
Originally Posted by DaHarder View Post

"Hering said in a press conference afterward that he believes both Google and Apple are on top of policing their app stores, particularly when there are known malware problems with apps."

Unbelievable Indeed - Not!


enjoying the "wallpaper" on your android phone yet?
post #37 of 211
This can/will happen to the iPhone one day. It's inevitable. But I do like the fact that there's a company doing their best to prevent such a thing from happening.
post #38 of 211
Quote:
Originally Posted by Gwydion View Post

Can anyone tell me how an application with Phone Info permission can read SMS's, history bookmarks, voice mail password?


well we (iPhone owners) wouldn't know. ask DaHarder
post #39 of 211
Quote:
Originally Posted by davesw View Post

Enjoy your spyware

Darnit davesw,

I was just thinking, "Not a troll in sight. Perhaps I don't have to have an ignore list." Then you responded to Da Harder, which defeats my 'ignore'.

Thank you.

Though it was good while it lasted.

My Ignore List (Subject to change) AngusYoung battlescarred'red 1 Bagman BenRoethig Blackintosh Bloodshottrollin captmark Chopper chronster Da Harder extremeskater iGenius (aka Josh.B and SpotOn) g3-ro gVibe Gazoobee ski1 Sofabut SpotOn StLBluesFan Stonefree Tekstud AngusYoung Mactripper (aka WooHoo) Matt_s Stevie Stonefree webmail
post #40 of 211
Quote:
Originally Posted by davesw View Post

enjoying the "wallpaper" on your android phone yet?

Yes, very much so as they're all from my own personal photo collection...
"Why iPhone"... Hmmm?
Reply
"Why iPhone"... Hmmm?
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iPhone
AppleInsider › Forums › Mobile › iPhone › Millions of Android users hit by malicious data theft app