

Android wallpaper app that steals your data was downloaded by millions - pkchen
http://mobile.venturebeat.com/2010/07/28/android-wallpaper-app-that-steals-your-data-was-downloaded-by-millions/

======
there
so what were the security permissions requested by this app at the time of
installation? i have to imagine that if it was taking web browsing history
that it would have needed more permissions than just "uses network data".

android's fine-grained security permissions, where the author has to
explicitly request each type (network use, prevent the screen from turning
off, etc.) and the user is shown the list of permissions requested before
installing, is good from a security standpoint, but i think it's ended up
being like windows vista. users either don't read, don't care, or don't
understand what is being asked of them and they just click whatever is needed
to continue. even an advanced user can't tell the difference between a free
app requesting network access to download advertisements and a malicious one
using it to upload private information.

~~~
maxjg
Just out of curiosity, when an android app is updated, how are permissions
handled? Do you receive a prompt to allow new privileges, or does it assume
you approve of it already?

You bring up an astute point on the vague "network access" permission, but
there's really not an easy answer to this. How would you fix it? Ask the
developer to simply say what the access will be used for? In an malicious app,
they'd obviously just lie. Short of actually displaying what data an app is
sending, I don't see an easy answer.

~~~
eli
Yes, if an update requires new permissions, it must be explicitly approved
again and cannot be auto-updated.

------
jlgosse
If this is true, I'm disturbed by the fact that:

1\. Google has failed to tell any of us this, 2\. I don't even know if I had
any of the vendor's applications in the past, as they have been removed
entirely, AND 3\. Google has failed to tell any of us this!

I mean what the hell, at least send us an email telling us that because we
downloaded AppXYZ, our data has been compromised by some low-life(s) in China.
I'm going to end up being a lot less likely to download random apps now, not
only because of this really sketchy incident, but because of the lack of
transparency on Google's part.

Damn.

~~~
SoftwareMaven
Does Android have the ability to remotely kill applications like iOS? If so,
perhaps they did that, so your app just disappeared if you had it.

I was going to say "I can't imagine Google hushing up a security issue", but
it does have the potential to get thrown in their face by Apple, "See, our
walled garden is a good thing." (Not that I believe for an instant that
Apple's approval would catch something like this.)

~~~
megablast
Yes, they do. I am pretty sure they have already removed one application. Lets
wait to hear what google says before we all go crazy.

~~~
masklinn
> Yes, they do. I am pretty sure they have already removed one application.

Two, I believe (though at the same time and by the same author)

------
jacquesm
A typical case of overblown 'user failure', not Android security model
failure. If a wallpaper app wants internet access and you allow it you really
only have yourself to blame.

Wallpaper, cursors packages, screen savers and other dumb 'customisation'
gadgets have been malware vectors on the windows platform for about 15 years
now, why would phone platforms be any different ?

~~~
nailer
Because this wasn't some random APK downloaded directly from the internet and
thrown onto a phone after the 'APKs from the internet might harm your
security' message.

It was uploaded to Android Market and provided by Google, who as an arbiter of
content, should realize that 'collect phone data' isn't an appropriate
permission for a wallpaper.

~~~
jacquesm
So, Google has a responsibility to check each and every app for malicious
intent by the uploader?

I really think that goes one step too far, that's exactly what apple does with
their market place and I think that is a big part of the problem.

The ultimate responsibility of what you run on your computers lies with you,
not with some entity providing you with a convenient way to get at a catalogue
of stuff.

This application seems to be malicious, and it seems that the security model
is _not_ broken, after all it asks for the permissions very explicitly.

Now if only people would read those warnings and think for a bit before
clicking 'ok'.

This is analogous to people receiving an email that instructs them to open a
malware attachment.

It's simple, if you haven't inspected the source and it doesn't come from a
source that has inspected the code and that gives you a guarantee that you can
trust the stuff you download then you can not trust it.

Pushing the responsibility to Google is utterly unfair, they could never in a
lifetime review the source code of every application that every android app
developer throws out there.

~~~
jsz0
The tricky part for Google is they have pulled apps in the past so they're not
entirely absolving themselves of responsibility for the Market.

~~~
jacquesm
As I'm sure they'll pull these when the right people at google are alerted to
the problem.

But there will be more instances of this and I think that there simply ought
to be a strict procedure to report malware so it can be responded to quickly
rather than to lay the blame with google.

Then if such a procedure is in place _and_ if google would consistently refuse
to pull clearly identified malware you'd get in to a situation where you could
lay some blame.

As it is I find it premature to do this, the Android application market is
still developing as are the procedures to deal with applications that behave
in 'unexpected' ways, the first competent user that installed this stuff
should have had a way to provide feedback about the perceived security risks.

~~~
nailer
Having anything submitted to the 'Themes' category not include the permission
to view your call history is automatable.

> I'm sure they'll pull these when the right people at google are alerted to
> the problem.

I've ported about 15 different apps to Google which were blatant cases of IP
theft, and one of search results gaming. They're all still there, with zero
response. They might be better with handling malware but I doubt it.

~~~
guelo
I hope you meant reported not ported.

------
orangecat
I'm pretty sure the article is not entirely accurate. There are several apps
from "Jackeey Wallpaper" in the Android Market, all of which seem to be apps
to download wallpapers of various themes. The dozen or so I've checked have
these permissions: \- "modify/delete SD card contents" \- "coarse (network
based) location" \- "full Internet access" \- "read phone state and identity"

As far as I know none of those allow reading your browser history or text
messages, and certainly not your voicemail password. We need to see a network
capture of what was sent to their site.

~~~
tlrobinson
The app in question only sends your phone number, IMSI, and voicemail number.
They posted a clarification here: [http://blog.mylookout.com/2010/07/mobile-
application-analysi...](http://blog.mylookout.com/2010/07/mobile-application-
analysis-blackhat/)

------
credo
It seems like Android has three choices

1\. The current approach (which made it possible for the wallpaper app to
steal user data from millions of users)

2\. Prevent apps from accessing data such as voicemail-password, web-browsing
history etc. (but it is possible that some apps may have a legitimate reason
to do this and blocking these apps may not be fully consistent with the open
platform goals)

3\. Throw a big warning message EVERY time an app tries to access sensitive
data (or perhaps for the first 10 times and the first 10 days...). It is a
compromise solution, but users may find this annoying.

Either way, this is a somewhat tough problem.

------
cubicle67
_It collects ... your voice mail password_

Do the security dialogs reflect the differing levels of importance of the data
you're providing access to? If an app is requesting access to my voice mail
password, I'd expect a pretty big red strobe light stuck on the dialog;
something to really catch your attention, especially if you're trying to 'yes'
your way through 9 (number stated by jsz0 for Google Maps) of the things

------
srjk
This scared me. I just installed a wallpaper app yesterday and while doing so
thought "that's weird, why does it my personal information, phone calls etcs".
But I still got the app. I guess my excuse is being used to my iphone, I
didn't think about exactly how much access I was granting to this random app.

Anyway, I just checked, and the wallpaper app I had wasn't from jackeey. It's
a top free app on the marketplace named Backgrounds by Stylem Media. And, it
requires access to network communication, personal information, storage, phone
calls, and system tools.

I have no idea how the warnings are generated. Maybe devs are just including
random libraries in their app (copy paste?) which are setting off these
warnings? If not, why does this wallpaper app need my personal info?

Anyway, good wake up call, I will definitely be more careful wrt what I
install on my phone.

EDIT: App request: something that logs/polices information going out from my
phone. Firewall? we'll be needing a anti-virus next :(

~~~
argsv
"And, it requires access to network communication, personal information,
storage, phone calls, and system tools."

This seems like a clear warning to me for wallpaper app. Would you install
such an app on your PC/Mac?

------
rodh257
So the iPhone is too closed, and Android is too open.

In my opinion, they should have a quality assured Market, but keep the ability
to load .apk files whenever you want (and also the ability for others to
create their own marked).

Quality assurance on market should mainly be about maliciousness of
applications.

It sounds stupid arguing for android to be more closed, but really Google is
very slack with their Market.

~~~
drivebyacct2
QA at Apple would not have stopped this. I'm not surprised that people fall
for this BS. Apple would have caught this just like Apple would have caught a
flashlight with a SOCKS tunnel right?

If the App requests permission, wtf do you expect? I don't think Google even
has an obligation to remove or crackdown on these types of apps.

~~~
rodh257
every app asks for permissions, thats the problem. If I didn't use apps that
had permissions which could possibly be exploited I would have barely any
apps.

At the very least malicious apps need to be removed quickly, along with spam +
scam apps.

------
papertiger
It would be nice if the article actually named the app rather than just the
developer.

Does anyone know the app name?

~~~
cludwin
I did some digging and ...

The article doesn't mention which app was malicious however they did mention
that the app publisher went by the name of "jackeey,wallpaper".

I ran some queries and it seems like the developer that publishes apps under
"jackeey,wallpaper" also publishes under "jackeey.wu".

A list of the apps published by this developer are here (most of which are
wallpaper apps):

<http://andbot.com/developer/jackeeywallpaper>

<http://andbot.com/developer/jackeey-wu>

<http://andbot.com/developer/jackeeywu>

~~~
cludwin
I compiled a more comprehensive list of the apps that could be affected and
I'll be updating it when I find out more info:

[http://andbot.com/blog/index.php/2010/07/29/android-apps-
sus...](http://andbot.com/blog/index.php/2010/07/29/android-apps-suspected-of-
stealing-your-information/)

------
jim_h
I've gotten very selective about which android apps I install. It seems like
some apps ask for more access than I would like to give them and what I think
they need.

