At the Black Hat Security Conference in Las Vegas, John Hering, CEO of Lookout, and Kevin MaHaffey, the CTO, has told audience members that Jackeey Wallpaper, an application in the Android Market, steals your personal information and then transmits it to a server located somewhere in China.
Jackeey Wallpaper has been download between 1 and 4 million times, and once installed it steals your browser’s web history, your text message conversations, your phone number, and more, then pushes it out to the server that hosts imnet.us. The owner of said server is in Shenzhen.
Instead of slamming Google and their oversight of letting this application into the Android Market, Hering said that both Apple and Google are doing a fine job policing their application stores. This particular incident was rare. Lookout discovered the sleazy program as a part of their “App Genome Project“, which is an attempt to download and examine each and every one of the applications in Apple’s App Store and Google’s Android Market with the intent of making sure everything says what it does on the tin and doesn’t screw over innocent people.
How will Google react to this? Too soon to tell. They’ll probably say stuff like this happens. How will Apple fanbois react to this? They’ll say that this is why heavy handed policies and screening are necessary, that Apple’s App Store “just works” and doesn’t steal your personal data. How should you react to this? Be more vigilant when it comes to applications you install, and if you need a wallpaper then just use Flickr or Google Image Search.
Note that Lookout sells antivirus software, so take what they’ve got to say with a grain of salt. You don’t need antivirus software on your smartphone, you just need a healthy dose of common sense. Same goes for personal computers, but that’s another aneurysm inducing conversation for a later day.
[Via: Venture Beat]
Update: Venture Beat’s information was wrong and they’ve corrected their article. Max Nelson, who does PR on behalf of Lookout, sent us this email:
I work at the PR firm for Lookout security, and I wanted to reach out to you about your article on the Android Wallpaper app that is taking users personal information.
The app does not actually steal users web history or text message conversations. Instead, the app transmitted the device’s phone number, subscriber identifier (e.g. IMSI), and the currently entered voicemail number on the phone. This is an important distinction for Lookout, because they did not actually find that the app was doing anything malicious. It is certainly suspicious, but it is important to clear up that they did not actually steal info like SMS conversations.
If you could potentially update your post, it would be much appreciated. If you would like any more clarification on the app (and what it did and did not do), just let me know.
Thanks!