Android Wallpaper Apps Falsely Accused of Spyware and Stealing Sensitive User Data [FUD]
Jul 30, 2010 8:27 AM –
Wow! A recent VentureBeat article put the blogosphere and smartphone industry on its heels when a reported score of wallpaper Android apps were accused of being malicious. The wallpaper apps created by “jackeey,wallpaper” and “IceskYsl@1sters!” are indeed the same developer under separate accounts, and accused of sending private sensitive user data to servers in China to a website www.imnet.us. The worse part about all of this is no one, I mean no one fact checked accurately. VentureBeat, The Wall Street Journal, CNET, Fast Company, Fortune, PC World, Computerworld, Gizmodo, AppleInsider, etc. the list goes on and on and everybody jumped the gun in reporting the issue. No one asked the developer about it nor really looked into the methods Lookout used in building it’s report called the App Genome Project.
Quote from what VentureBeat reported that started all the Controversy
Update: Lookout notes it does not capture browsing history and text messages. It collects
your browsing history, text messages, your phone number, subscriber identification, and even your voicemail password, as long as it is programmed automatically into your phone. It sends the data to a web site, www.imnet.us. That site is evidently owned by someone in Shenzhen, China. The app has been downloaded anywhere from 1.1 million to 4.6 million times. The exact number isn’t known because the Android Market doesn’t offer precise data. The search through the data showed that Jackeey Wallpaper and another developer known as iceskysl@1sters! (which could possibly be the same developer, as they use similar code) were collecting personal data. The wallpaper app asks for permission to access your “phone calls,” but that isn’t necessarily a clear warning. While suspicious, Lookout says there isn’t evidence of malicious behavior.
Response from the Accused Developer
We had a chance to talk with the developer of the wallpaper apps in an exclusive interview first as no other resource had reached out to him at the time of the growing wildfire, his name is Jackeey Wu. Since the massive coverage Google has pulled all the wallpaper apps from both accounts pending further investigation. We would like to share our interview verbatim with the developer of the apps in response to all the media reports:
Hi, I noticed in venturebeat.com that the CEO of Lookout said that I have collected user’s data in my wallpaper apps.The data includes browsing history, text messages, phone’s SIM card number, subscriber identification, and even your voicemail password.
I do not collect user data likes what the CEO of Lookout Said in venturebeat.com
He said that I have collected the text message, it is bullshit. We know that if a developer wants to collect text message, he must declare some android permissions (android.permission.READ_SMS, android.permission.RECEIVE_SMS, or android.permission.RECEIVE_MMS) firstly. And these permissions will be shown on the Android market security page and Application settings. We can see the following screen shortcut from android market, that I do not declare the permission in my applications (The right one). So my applications can’t collect user message absolutely.
In the news, it said I collected the browsing history in my applications, it makes no sense.
You can see the screen shortcut below. The “Browser” applications declare the permissions to read/write browsing history and bookmark. But in all my applications, I do not declare that permissions to collect these user‘s data.
Other wallpaper application collected more data.
Please look out the most popular wallpaper apps i.e. “Background”. That application required 8 permissions. My applications just required 5 permissions to make the app run well, and all of these permissions have been contained by “Background”.
In my applications I collected some device data, not user data.
I collected the screen size to return more suitable wallpaper for the phone. More and More users emailed me telling that they love my wallpaper apps so much, because that even “Background” can’t well suited the phone’s screen.
I also collected device id,phone number and subscriber id, it has no relationship with user data. There are few apps in Android market has the favorites feature. Many users suggest that I should provide the feature so I use the these to identify the device, so they can favorite the wallpapers more conveniently, and resume his favorites after system resetting or changing the phone.
I am just an Android developer, I love wallpapers and I use different wallpaper every day. All I want is to make the greatest Android apps.
I am wondering why the the ceo of Lookout or the Author of venturebeat.com attacks me and make irresponsible points.
Lookout’s Update About Wallpaper Apps
For obvious reasons Lookout could not respond to my questions at the time of researching this issue but have published technical details in an update on their blog stating:
While the data this app is accessing is certainly suspicious coming from a wallpaper app, we want to be clear that there is no evidence of malicious behavior. There have been cases in the past where applications are simply a little overzealous in their data gathering practices, but not because of any ill intent.
(Update: 3:00pm CDT 7/30/10. I was able to personally speak with Erika Shaffer, PR for Lookout to give their statement about what they said and demonstrated at Blackhat 2010)
Lookout didn’t retract anything. When we saw the misinformation being spread we posted as soon as we could a complete post on what we had found about these apps. That they were transmitting the phone number, subscriber ID and voicemail phone number to a server owned by the developer. We said that in the presentation on Wednesday.
(Update: 6:14pm CDT 7/30/10. I had a personal conversation in addition to email correspondence with Lookout’s CEO John Hering to give his statement regarding what they said and the research demonstrated)
This makes it clear that there was some initial misreporting of our research, though we want to be clear that we never said that the wallpaper apps were malicious and we never claimed that the apps gathered more than the data we disclose in our blog post (e.g. subscriber id, phone number, voicemail password). We’ve been working around the clock to make sure everyone gets it right.
Thanks again for taking the time to chat. As I mentioned when we spoke, our goal is to help make users and developers alike more aware of what is happening in the world of mobile apps to ensure a safe mobile experience. Please feel free to give me a call if you want to talk.
In my phone conversation with Hering, he brought up a good point about what their research could reveal about potential harms of sensitive user data being leaked. Recalling his example, if a user is in a coffee shop over unsecured Wifi and an app is transmitting data like phone numbers and voicemail passwords unencrypted in clear text; a potential hazard could be if a malicious hacker is sniffing that data transmission retrieving the information. Their research is to make mobile app developers more aware of possible inadvertent and/or unsecured sensitive data transmission that users obviously wouldn’t know about.
My Preliminary Conclusion
True all users should indeed be aware of what they are installing from the Android Market. True the openness of the Android Market are its strengths and weakness as something like this could be exploited. In this particular instance… it may not be the case, especially for what seems like a developer trying to improve his app by grabbing device data to make a “favorites” feature in-app. Maybe his approach was suspicious and overzealous as Lookout corrected, but was the mass negative press without covering the complete story warranted???
I believe Lookout’s reassessment should have been issued in the beginning versus retroactively clarifying; it makes me question their app security scanning and protection features of Lookout Mobile Security. Hopefully Google’s investigation will put a final ruling to this.
I’ve leave you with these 3 words… Fear, Uncertainty, and Doubt!
Tags: Android App
, Android App Data Security
, False Accusations
, Fear Uncertainty Doubt
, jackeey wallpaper
, Jackeey Wu
, Lookout Mobile Security
, Malicious Android Apps
, Spyware Android Apps
, Wallpaper Apps
Categorised in: Apps Blog, Featured, News