[Update] Another App Stealing Data?

Security firm MyLookout claims that developer Jackeey – the publisher of the app Wallpaper in the Android market – is sending your data to someone in China if you have their app installed. The collection of apps pose as harmless wallpaper galleries, but they do a lot more behind that black, shady curtain that you don’t see. Namely, your browsing history, text messages, SIM card data, subscriber ID, phone number and your voicemail password are all candidates to be intercepted by the app and sent to mainland China.

wallpaper-hack

Reports are saying that at least 1.1 million users are affected by the malicious app, but we’re positive Google will engage that handy killswitch we know they have on standby to take care of this unfortunate circumstance. If you have that app installed, be sure to remove it from your phone at once if Google hasn’t already done it for you.

[Update]: MyLookout chimed in with us to clarify some details that other outlets have been reporting. Specifically, the app does collect data from your phone, but only the device’s phone number, subscriber identifier, and voicemail number fields are retrieved. SMS and browsing history are not touched by any of the apps they analyzed throughout their Blackhat conference. Your voicemail’s password is also not transmitted unless you included the password in your phone’s voicemail number field.

We’re not yet certain on what the developer’s intentions are for using the pieces of data it does send to China – so we can’t outright call it malicious – but it is collecting and sending data nevertheless. Hopefully that clears up some of the confusion everyone’s been faced with regarding the read-only property READ_PHONE_STATE that the application uses to access certain pieces of data.

[via Android Central] [9to5 Mac] [MobileBeat]

Continue reading:




  • Oletros

    I have read the same story on Appleinsider but I thought that an Android site would check better the facts.

    Can anyone tell me how an app with READ_PHONE_STATE permissions can read SMS’s, browsing history, voice mail passwords et al?

    Looking at androlib and Google Market the only strange permission is READ_PHONE_STATE and this permission is required for backward compatibility.

    And the number of downloads is between 50.000 and 250.000

  • Mark

    There’s no fact checking on this site

  • bob

    I used to like this site until I realised there copy & paste merchants

  • SwampFox

    ??? this is a serious accusation here… wow. *going to get popcorn and some beer*

  • Sean

    @ Oletros

    Why are you copy and pasting the same thing on every Android website? Seems a little suspicious.

  • Oletros

    Suspicious of what? Of being lazy and doing copy & paste?

  • Quentyn Kennemer

    I looked into the Android SDK documentation and various forum threads by Android developers discussing the property and I cannot find anything that says it does more than just reads the phone state. I can’t seem to determine what is gained by accessing the read-only property, but feel free to chime in if you come up with anything in your search. I’m just reporting the story as it’s been reported by other reputable sources.

  • ChazClout

    I thought the same as you Oletros. There is a discussion on Macrumors about it so I posted this: http://forums.macrumors.com/showpost.php?p=10684422&postcount=20
    The permissions requested by one of Jackeey Wallpaper’s app just doesn’t add up.

    The fact that Lookout sell anti-malware apps means I’d like to see some independent verification before worrying.

  • DKYang

    Since when did Lookout sell anything? They are free and have remained free ever since they started up. I’ve never heard of them accusing anyone doing harmful things until now. Of course that doesn’t mean they are right just yet.

    After looking at that macrumor post. Btw, good job of posting the link to post only and not the stupid thread containing a bunch of ignorants. I cannot see the reason why a wallpaper needs 3 of the 4 permissions listed. Granted, network communication makes sense if it contains ads, but the other two should not be there.

  • Matt

    I don’t see this on Lookout’s blog?

  • http://creativepath.co.uk/ Dan Davidson

    Damn, I had one of the Jackeey apps on my phone ‘wallpapers, advanced’. Bit of a crappy application but didn’t think it was actually malicious. Uninstalled.

  • Oletros

    Did them tell you how they collect and send that data?

  • uprooted

    And if your phone is rooted (or rootable) just imagine the kind of things malicious apps can do and the data they can collect!

  • derrickISONLINE

    Looks like we’re going to need a ZoneAlarm-like firewall app for our phones now! It was only a matter of time.

  • ChazClout

    @ DKYang

    An Appleinsider article stated:
    “The data theft was only discovered afterward, through forensics performed by mobile security firm named Lookout which sells virus and malware protection software for Android, Windows Mobile and BlackBerry devices.”

    That was why i was under the impression the sold their software.
    http://www.appleinsider.com/articles/10/07/29/millions_of_android_users_hit_by_malicious_data_theft_app.html

    Last time I take any notice of an Apple site regarding Android news. ;)

  • Phil

    @derrickISONLINE Its not to difficult to do at all if they haven’t ripped IPtables out of Linux. But the same person that read right past the permissions on this app would grant it permission to make outgoing connections to get the wallpapers. I don’t really think firewalls help the consumer all that much with things making outgoing connections. They won’t know what to block.

  • Alex

    what is even more dumbfounding, is the first ones to comment negatively about Phandroid’s posts, are of the first to read & post on this site. Buncha trolling haters.

  • Shinzakura

    “so we can’t outright call it malicious”

    But you just did two paragraphs prior. Editing can be your friend.

  • Kevin

    I believe READ_PHONE_STATE, INTERNET, AND COURSE_POSITION are usually required for most Advertising libraries. So if it has a banner ad, it’s probably collecting all that data to deliver targeted data as well as to keep track of which handset is making ad requests.

  • Fjord Prefect

    I never have problems with my wallpaper app sending sensitive data to communist countries on my iPhone. Must be an Android thing.

  • Logotic

    It’s just a way for the Chinese to get a laugh. Every time someone installs of these lame jackeey apps, they go “Ha-ha! Another roundeye loser! America no threat to us!”

  • SwampFox

    Android does have IP Tables, there are firewall apps out already but they are above 99% of the users heads. This is a serious accusation and Phandroid really should make ABSOLUTE sure that it is legit before repeating news like this as it can ruin a company/developer’s career for a long time. At the very least they can be out months or years of work… I looked at some of their wallpapers and they do not seem to be asking for permissions to anything any more personal than any app running admob, quattro, or google ads. Also, to the person that commented about rooted phones. You must individually grant an app root permissions, so obviously you would not grant access to a wallpaper app!

  • Oletros

    The response from the developer:

    http://www.scribd.com/mobile/documents/35072457

  • MansterRock

    Nice rebuttal by app dev. Seriously Phandroid. You really need to check those facts out from BOTH sides before you post something like this.

    On another note however, Market Spammers by the wallpaper devs is out of control. Most of these wallpaper apps clutter up the market with multiple apps by the same dev that could all be handled in one app.

    I pay for all apps that allow me to pay for them. Yet it seems ok for these wallpaper app devs, case in point in the rebuttal, to steal other peoples property. Show us your licensing contract with Sanrio that allows you to use Hello Kitty in your app!

  • Simon

    I can’t believe they still haven’t updated this post and remove the blame on the poor developer!

    shame shame shame!

  • jimmy j

    People its a wallpaper app. download pics then choose one to set as wallpaper. then change pic when bored. that simple. And thats all thats required. Any reporting of anything to anywhere is totally unnecessary and is totally suspicious. voicemail phone number AND PASSWORD if field is filled for a wallpaper pic? do you people actually think or just like to suck off devs? pffft please! it is undeniably a suspect app.
    If the tactics shown by the dev is supported and tolerated by you people, what hope do you have for a clean trustworthy app market and culture?

  • http://www.planethelicoptergame.com/2010/07/15/helicopter-game/ Arden Kattner (helicopter game)

    I really want to get my chubby paws on this! I can already feel my GPA going down until I crack the game!