Forgot your password?
typodupeerror
Cellphones Security

Android Data Stealing App Downloaded By Millions 335

Posted by CmdrTaco
from the nobody-is-safe dept.
wisebabo writes "A wallpaper utility (that presents purloined copyrighted material) 'quietly collects personal information such as SIM card numbers, text messages, subscriber identification, and voicemail passwords. The data is then sent to www.imnet.us, a site that hails from Shenzen, China.'"
This discussion has been archived. No new comments can be posted.

Android Data Stealing App Downloaded By Millions

Comments Filter:
  • by Anonymous Coward on Thursday July 29, 2010 @12:11PM (#33070450)

    Do you really need to know the name of the app in order to avoid it? I think that you should know well enough to avoid wallpaper apps! Those (and screensavers) were something like number 1 way for viruses to spread on computers in the late 90s or so. The same people who fell for those then can now afford expensive phones and fall again for the same scam.

  • Re:I'm confused... (Score:4, Interesting)

    by arth1 (260657) on Thursday July 29, 2010 @01:23PM (#33071932) Homepage Journal

    Wallpapers aren't just static images.

    The wallpaper I have here, changes colour depending on the time of day.
    You can even show a view adjusted for the weather where you are.

  • Re:Developers Bitch (Score:3, Interesting)

    by diamondsw (685967) on Thursday July 29, 2010 @01:34PM (#33072144)

    The tethering app wasn't discovered because it was extremely difficult to trigger - it required very specific network settings, a multi-step setup process, and tapping different colors in a specific pattern just to enable the tether. Very different from discovering an app is sending your data off wholesale.

    The hidden tethering app is only going to be discovered via thorough code decompilation and analysis. Sending chunks of data to a random server for no appreciable purpose can be found easily via tcpdump.

  • Re:Thats it! (Score:3, Interesting)

    by TheRaven64 (641858) on Thursday July 29, 2010 @01:35PM (#33072170) Journal

    There's absolutely no reason that this should be the case. I can't speak for Windows Mobile, but the Symbian kernel has a capability model that makes it relatively easy to protect against this kind of thing. Applications, by default, can only read a few system locations (shared libraries and so forth) and can only write into their own directory. Each shared library and each application has a set of capability bits. A shared library can only be loaded by processes that have all of the capability bits that the library has (so, for example, if your app doesn't have the SMS capability, it can't load shared libraries that require it). If you install a wallpaper app, and it has the capabilities to inspect arbitrary directories, system configuration, and so on, then you'd expect to know something is wrong. Unfortunately, the Symbian UI sucks so badly that it probably doesn't actually tell you this...

    Interestingly, OS X also has quite a nice subsystem for running untrusted code. On recent versions, there are predefined sandbox settings for preventing writes, preventing Internet access, and preventing writes outside /tmp. It's not used much on the desktop (not at all for untrusted code, where it would be most useful), but it might be used on the iPwn.

  • Re:I'm confused... (Score:2, Interesting)

    by mafian911 (1270834) on Thursday July 29, 2010 @01:49PM (#33072488)
    I don't think this post is flamebait. Ok, well, "dumb" is harsh, but I do think the iPhone is targeted toward people who really just don't know any better. That's why the phone is so easy to use, bc hell, a baby can figure it out.

    Android allows you to do more, but at the cost of a little extra complexity. I think an average user can handle it, I know a lot of people with average intelligence that have no problem with it. It's the users that aren't so smart that may have a hard time with it. Those users may want to consider an iPhone.
  • Who is behind it? (Score:1, Interesting)

    by Anonymous Coward on Thursday July 29, 2010 @02:55PM (#33073826)
    Lets see, a simple whois shows:

    Administrative Contact Name: Ice Ysl
    Administrative Contact Organization: 1sters
    Administrative Contact Address1: china
    Administrative Contact City: shenzhen
    Administrative Contact State/Province: guangdong
    Administrative Contact Postal Code: 86
    Administrative Contact Country: China
    Administrative Contact Country Code: CN
    Administrative Contact Phone Number: +7.5526814587
    Administrative Contact Email: iceskysl@gmail.com

    A google search on iceskysl@gmail.com comes up with a surprising number of hits. No fake email here.
    Android Intent is so powerful and great. [google.com]
    Our boy has been busy on the Android [csdn.net]
    And it goes on...
  • Re:I'm confused... (Score:3, Interesting)

    by disambiguated (1147551) on Thursday July 29, 2010 @03:29PM (#33074404)
    Yes that is exactly how it works. You specify which permissions your app needs in the xml manifest. These permissions are displayed to the user. If your app attempts to use an API which requires permissions not specified in the manifest, the app gets a security exception. It doesn't rely on the developer being honest.
  • by gotpoetry (1185519) on Thursday July 29, 2010 @04:14PM (#33075206)
    These wallpaper apps cannot access your contact's phone numbers, SMS messages or personal information.

    Check out the manifest permissions [macrumors.com] on the apps in question. It is the last item that is the problem.

    !Storage
    modify Delete

    !Your location
    coarse (network-based) location

    !Network communication
    full Internet access

    !Phone calls
    read phone state and identity

    The permission only allow the app to read the IMEI number of your phone (your hardware's unique identifying number), your phone number, and your currently programmed voice-mail number. If you hard coded your voice-mail password as part of your voice-mail number, then they have that too.

    They shouldn't be stealing this info, and Google should separate "read phone state" from "read identity", but the stories on this app stating that your SMS's, contacts and grandmother's girdle being stolen and sent to China just plain wrong.
  • Re:I'm confused... (Score:3, Interesting)

    by CharlyFoxtrot (1607527) on Thursday July 29, 2010 @06:23PM (#33077070)

    Android allows you to do more, but at the cost of a little extra complexity. I think an average user can handle it, I know a lot of people with average intelligence that have no problem with it. It's the users that aren't so smart that may have a hard time with it. Those users may want to consider an iPhone.

    It's not about smartness but intuitiveness. Apple doesn't want the user to have to learn a new OS (the different types of permissions, etc.) to be able to use his/her phone. The user should just be able to pick it up and do a task with as little interference as possible. We used to call this KISS and it's actually a lot harder to do correctly than to just offer up a bunch of options and configurations to the user. I picked up an android phone in a store the other day and my first thought was how busy the user interface was.

Theory is gray, but the golden tree of life is green. -- Goethe

Working...