Millions of Android users hit by malicious data theft app

Posted:
in iPhone edited January 2014
An app distributed by Google's Android Market has collected private data from millions of users and forwarded it to servers China, validating Apple's uniquely strong stance on mobile security in the iPhone App Store.



The exploit, tied to an app that appeared to simply load free custom background wallpapers, was downloaded "anywhere from 1.1 million to 4.6 million times. The exact number isn?t known because the Android Market doesn?t offer precise data," according to a report by Dean Takahashi of VentureBeat.



The app "collects a user?s browsing history, text messages, your phone?s SIM card number, subscriber identification, and even your voice mail password. It sends the data to a web site, www.imnet.us. That site is evidently owned by someone in Shenzhen, China," the report noted (see the update by Lookout below).



The data upload was only discovered afterward, through forensics performed by mobile security firm named Lookout which sells virus and malware protection software for Android, Windows Mobile and BlackBerry devices. The problem was announced at the Black Hat security conference being held in Las Vegas.



(Update: Lookout has clarified in followup comments with AppleInsider that the intent of their "App Genome Project" research was to "identify security threats in the wild and provide insight into how applications are accessing personal data and other phone resources."



The group noted that the Android wallpaper app was "not proven to be malicious," but that the app does "ask the user for specific information around the phone details and that information is transferred to a server [in China]."



Correcting the original VentureBeat story, Lookout stated that "the apps from these developers send several pieces of sensitive data to a server, including a device?s phone number, subscriber identifier, and currently programmed voicemail number. The applications we analyzed did not access a device?s SMS messages, browsing history, or voicemail password (unless a user manually programmed the voicemail number on the device to include the voicemail password)."



Lookout also reiterated there is "no proof of malicious intent and in the past apps have been a bit overzealous in getting access to sensitive data with no ill intent." Lookout compared the Android wallpaper app copying local data to a Chinese server with a recent App Store title that purported to be a flashlight app while actually including a hidden SOCKS proxy that could be used for tethering.



Lookout added that it hasn't "yet" published a report detailing the Android wallpaper app, suggesting that it is continuing to look at the situation.)



Mobile data theft on the increase



The issue recalls a recent AT&T website leak that could hypothetically have enabled a malicious hacker to access 144 thousand of iPad 3G user's email addresses.



However, the Android app data theft was actually perpetrated by malicious hackers and not just demonstrated by researchers; it involves far more sensitive data; and affected far more victims--by more than an order of magnitude.



iOS vs Android in app security



Apps on any platform can access personal data and forward that data to an external server, but the Lookout research found that 47 percent of the selection of Android apps it looked at incorporated third party code (which may include malicious functions), while only 23 percent of analyzed iPhone apps did.



Apple also approves iOS apps through a strict vetting process before listing them in the App Store, while Google's Android Market app security involves simply warning the user that an app needs permissions to perform certain functions during the install.



Unlike other mobile platforms secured by Lookout, Apple's iOS platform doesn't have a live virus problem because third party iPhone apps can only be distributed through Apple's curated App Store, and apps are forced to run in a segregated sandbox environment where they can't infect the system. That doesn't necessarily mean iOS apps can't forward user data inappropriately however; Apple has discovered and pulled apps that have violated its privacy policies.



Apps must also be signed by a certificate created by Apple, which makes it much harder for malicious developers to anonymously distribute software designed to cause problems or steal data. Apple's security measures also make such efforts less attractive financially, despite the iOS platform's installed base being much larger than Android's.



Exploitable vulnerabilities in the iOS platform have been reported elsewhere, including the Safari browser, but crafting a malicious attack via the browser requires luring users to a malicious site rather than simply distributing a bad app that appears to be useful and genuine.



Lookout chief executive John Hering said in the report that "he believes both Google and Apple are on top of policing their app stores, particularly when there are known malware problems with apps," but the report noted it's "unclear what happens" when apps don't actually do what they represent.
«13456711

Comments

  • Reply 1 of 216
    Androiders gonna need one of these. Ewwwwww.
  • Reply 2 of 216
    markmsmarkms Posts: 9member
    Enjoy your "open" market, Android users.
  • Reply 3 of 216
    I love the (Walled Garden)
  • Reply 4 of 216
    matrix07matrix07 Posts: 1,993member
    Soon Android users would need to install data protection app as a standard procedure much like Anti-Virus software in Windows system.
  • Reply 5 of 216
    bushman4bushman4 Posts: 797member
    Apple on the money when saying Jailbreaking wiil lead to piracy, viruses, and cause the IPHONE to lose its SECURE environment.

    Sure some people find jailbreaking an advantage. But lets think about all the downside as well.
  • Reply 6 of 216
    ghostface147ghostface147 Posts: 1,629member
    Quote:
    Originally Posted by MarkMS View Post


    Enjoy your "open" market, Android users.



    Now now, Apple also let a major bank publish an app that saved your private banking info, so it's not all great over on Apple's side either. How did that get past the Apple secret police?
  • Reply 7 of 216
    nasseraenasserae Posts: 3,153member
    Quote:
    Originally Posted by ghostface147 View Post


    Now now, Apple also let a major bank publish an app that saved your private banking info, so it's not all great over on Apple's side either. How did that get past the Apple secret police?



    It saved banking data IN the bank app itself IN the iPhone. Not sending the data to Some hacker in China. Big difference.
  • Reply 8 of 216
    Wait wait wait one damn second. You're trying to tell me that an 'open', unregulated, app store might have malicious apps on it from China? And these apps would collect personal and private data then transmit it to China? NO FREAKING WAY. Google has always been known for protecting user data and sees protecting it's customers as a priority. Android is simply the safest phone OS on the market! <insert sarcastic wit here> This while story comes as no surprise.... <rolls eyes>
  • Reply 9 of 216
    sennensennen Posts: 1,465member
    waiting for the flood of "freedom fighters" to arrive...
  • Reply 10 of 216
    nvidia2008nvidia2008 Posts: 9,262member
    Love to see the fandroids response to this...
  • Reply 11 of 216
    quinneyquinney Posts: 2,523member
    Quote:
    Originally Posted by AppleInsider View Post


    The exploit, tied to an app that appeared to simply load free custom background wallpapers, was downloaded "anywhere from 1.1 million to 4.6 million times. The exact number isn’t known because the Android Market doesn’t offer precise data," according to a report by Dean Takahashi of VentureBeat.



    The app "collects a user’s browsing history, text messages, your phone’s SIM card number, subscriber identification, and even your voice mail password. It sends the data to a web site, www.imnet.us. That site is evidently owned by someone in Shenzhen, China," the report noted.



    I wonder if any EFF members downloaded the pretty wallpaper onto their android phones.
  • Reply 12 of 216
    maccherrymaccherry Posts: 924member
    Quote:
    Originally Posted by FormerARSgm View Post


    Wait wait wait one damn second. You're trying to tell me that an 'open', unregulated, app store might have malicious apps on it from China? And these apps would collect personal and private data then transmit it to China? NO FREAKING WAY. Google has always been known for protecting user data and sees protecting it's customers as a priority. Android is simply the safest phone OS on the market! <insert sarcastic wit here> This while story comes as no surprise.... <rolls eyes>



    OH NO YOU DIDN'T!!!!!!!!!!!!!!!!!!!!!!!



    LOL!!!!!!!!!!!!!

    Good god!
  • Reply 13 of 216
    mactelmactel Posts: 1,275member
    See Apple told you so!



    For those the jailbreak their iPhones they are more likely to get played by malware writers. Now that it is legal to jailbreak I'm sure more people will do it. We may even see a lawsuit from jailbroken iPhone users claiming Apple didn't protect them enough.
  • Reply 14 of 216
    mactelmactel Posts: 1,275member
    Quote:
    Originally Posted by BUSHMAN4 View Post


    Apple on the money when saying Jailbreaking wiil lead to piracy, viruses, and cause the IPHONE to lose its SECURE environment.

    Sure some people find jailbreaking an advantage. But lets think about all the downside as well.



    From my encounters, the main reason people jailbreak is to get on T-Mobile and away from AT&T. Then they can tether and do all kinds of things AT&T doesn't like. Get the iPhone on T-Mobile and many will stop jailbreaking as it wouldn't be worth it then.
  • Reply 15 of 216
    maccherrymaccherry Posts: 924member
    Ha ha!!!!!!

    Eric Shmidt tried his damnedest to derail Apple by lauding the so-called freedom of OPEN SOURCE in contrast to Apple's so-called draconian(whatever Eric) app acceptance practice. Not that anything is wrong with open source per se but we all know Eric was trying to win over people. This is what we all knew was going to happen. Did you not see the writing on the walls?

    There are too many fu***** people thinking Apple is some dumb country bumpkin outfit. THEY AIN'T!!!!!!!

    Apple is a world class, and I stress world class, technology company.

    Job is surrounded by the best and brightest. He gets his information form the source, He knows what the hell he's talking about. The problem is the rest of the industry doesn't want YOU to know the truth. Sh** happens!!!!!
  • Reply 16 of 216
    quinneyquinney Posts: 2,523member
    Quote:
    Originally Posted by sennen View Post


    waiting for the flood of "freedom fighters" to arrive...



    Be patient. It takes some time to make sure one's personal data has not been stolen and exploited, and then it takes more time to come up with a rationalization or some way of muddying the waters so that the whole setup of the Android Market bears no blame.
  • Reply 17 of 216
    Millions affected. Not a single one complains. And no lawsuits! And yet some of these Android users (who don't even own an iPhone 4) are constantly finding a new thing about the iPhone to carp about.
  • Reply 18 of 216
    daveswdavesw Posts: 406member
  • Reply 19 of 216
    "The exact number isn?t known because the Android Market doesn?t offer precise data"



    How do they correctly compensate developers then?
  • Reply 20 of 216
    No Jacket Required...but you better wear a condom
Sign In or Register to comment.