The exploit, tied to an app that appeared to simply load free custom background wallpapers, was downloaded "anywhere from 1.1 million to 4.6 million times. The exact number isnt known because the Android Market doesnt offer precise data," according to a report by Dean Takahashi of VentureBeat.
The app "collects a users browsing history, text messages, your phones SIM card number, subscriber identification, and even your voice mail password. It sends the data to a web site, www.imnet.us. That site is evidently owned by someone in Shenzhen, China," the report noted (see the update by Lookout below).
The data upload was only discovered afterward, through forensics performed by mobile security firm named Lookout which sells virus and malware protection software for Android, Windows Mobile and BlackBerry devices. The problem was announced at the Black Hat security conference being held in Las Vegas.
(Update: Lookout has clarified in followup comments with AppleInsider that the intent of their "App Genome Project" research was to "identify security threats in the wild and provide insight into how applications are accessing personal data and other phone resources."
The group noted that the Android wallpaper app was "not proven to be malicious," but that the app does "ask the user for specific information around the phone details and that information is transferred to a server [in China]."
Correcting the original VentureBeat story, Lookout stated that "the apps from these developers send several pieces of sensitive data to a server, including a devices phone number, subscriber identifier, and currently programmed voicemail number. The applications we analyzed did not access a devices SMS messages, browsing history, or voicemail password (unless a user manually programmed the voicemail number on the device to include the voicemail password)."
Lookout also reiterated there is "no proof of malicious intent and in the past apps have been a bit overzealous in getting access to sensitive data with no ill intent." Lookout compared the Android wallpaper app copying local data to a Chinese server with a recent App Store title that purported to be a flashlight app while actually including a hidden SOCKS proxy that could be used for tethering.
Lookout added that it hasn't "yet" published a report detailing the Android wallpaper app, suggesting that it is continuing to look at the situation.)
Mobile data theft on the increase
The issue recalls a recent AT&T website leak that could hypothetically have enabled a malicious hacker to access 144 thousand of iPad 3G user's email addresses.
However, the Android app data theft was actually perpetrated by malicious hackers and not just demonstrated by researchers; it involves far more sensitive data; and affected far more victims--by more than an order of magnitude.
iOS vs Android in app security
Apps on any platform can access personal data and forward that data to an external server, but the Lookout research found that 47 percent of the selection of Android apps it looked at incorporated third party code (which may include malicious functions), while only 23 percent of analyzed iPhone apps did.
Apple also approves iOS apps through a strict vetting process before listing them in the App Store, while Google's Android Market app security involves simply warning the user that an app needs permissions to perform certain functions during the install.
Unlike other mobile platforms secured by Lookout, Apple's iOS platform doesn't have a live virus problem because third party iPhone apps can only be distributed through Apple's curated App Store, and apps are forced to run in a segregated sandbox environment where they can't infect the system. That doesn't necessarily mean iOS apps can't forward user data inappropriately however; Apple has discovered and pulled apps that have violated its privacy policies.
Apps must also be signed by a certificate created by Apple, which makes it much harder for malicious developers to anonymously distribute software designed to cause problems or steal data. Apple's security measures also make such efforts less attractive financially, despite the iOS platform's installed base being much larger than Android's.
Exploitable vulnerabilities in the iOS platform have been reported elsewhere, including the Safari browser, but crafting a malicious attack via the browser requires luring users to a malicious site rather than simply distributing a bad app that appears to be useful and genuine.
Lookout chief executive John Hering said in the report that "he believes both Google and Apple are on top of policing their app stores, particularly when there are known malware problems with apps," but the report noted it's "unclear what happens" when apps don't actually do what they represent.