Bad wallpaper appBad Wallpaper App

Update 2: We've heard back from the developer of these apps, who tells us the following:

"What the ceo [sic] of Lookout said  makes no sense. I will email you with details later."

We await the details. In the meantime, be aware that the developer listed on the suspect wallpaper apps has been changed to callmejack. We're still diving into this one. But for the time being, we recommend not installing these apps.

Original: Before we start, grab your phone and your computer and hit this link: Android apps by jakeey, wallpaper.  If you have any of these applications on your Android phone, uninstall them.

We'll wait.

Now you ask why did we recommend (nay, demand!) you uninstall any of those apps?  Lookout says that one or more of these apps are stealing your data and sending it to an unknown person or persons in China.  Yup, innocent looking wallpaper apps.  According to Lookout, the app(s) in question are collecting:

  • browsing history
  • text messages
  • your SIM card data
  • subscriber ID
  • voicemail password (if it's set to be entered automatically)

Look for Google to pull these soon, as they potentially affect at least 1.1 million users, but for now remember to read what an app can do when you install it. That's that screen you ignore every time you install an app. The one that tells you what system permissions the app has access to. If, say, a calculator wants to see your contacts list, think twice.

It's worth reminding that Android is the only OS that gives you these sort of warnings. And before any Apple fanatics get too cocky, at least these apps aren't stealing money from your Google checkout account.  We're keeping a close eye on this one, you'll hear more as it unfolds.  [Mobile Beat via 9 to 5 Mac]

Update: Lookout got back to us during the overnight to clarify a few things as reported in the Mobile Beat story. They're not going quite so far as to call the app "malicious," but questions remain. Read Lookout's e-mail to us after the break. We've e-mailed the apps' developer for further explanation.

Hi Jerry,

I wanted to reach out to you regarding the wallpaper app we recently discussed at Blackhat to clarify a few things.

Specifically, the wallpaper applications we analyzed proved to send several pieces of sensitive data to a server, including a device's phone number, subscriber identifier, and currently programmed voicemail number. The applications we analyzed did not access a device's SMS messages, browsing history, or voicemail password (unless a user manually programmed the voicemail number on the device to include the voicemail password).

Also, it's important to note that the applications were estimated by androidlib to have between 1 and 4 million downloads (not necessarily the same thing as 1-4 million users).

Finally, while the data the wallpaper apps are accessing are certainly suspicious coming from wallpaper apps, we're not saying that these applications are malicious. There have been cases in the past where applications are simply a little overzealous in their data gathering practices, but not because of any ill intent.

I'm happy to answer any more questions you have.

Thanks,
Kevin

Kevin Mahaffey
Founder, CTO

Lookout, Inc.

 
There are 63 comments

chaka389 says:

This doesn't make sense, the security settings don't give them access to browsing history or SMS. This article is BS or market security warnings are absolutely worthless.

gbhil#AC says:

As far as I can tell, and this is from the Mobile Beat story -- still waiting on lookout to get back to us -- everything was covered by the apps asking for access to "phone info".

Part of me hopes this isn't true. But all of me knows we have to share it with the community just in case.

chaka389 says:

That's interesting and confusing since there are specific security settings for access to browsing history and SMS. Could you point me in the direction where I could get more info on this? That's the most concerning part of all this in my opinion.

I always believed lots of malicious apps were out there but I thought being careful about what security settings I was okay with was allowing me to not worry about that. If that's compromised, well, I've honestly lost a lot of faith in android.

gbhil#AC says:

You and me both. I hope Lookout responds to us with some info. They have to realize that some of the more savvy users will want to investigate their claims.

Dr Mixer says:

Maybe we should be promoting Lookout Mobile Security more since they caught it!

wally#AC says:

Did I misunderstand or does it say appbrain was also a malicious app

gbhil#AC says:

No. AppBrain are the good guys. I'm using their site to provide a list of the apps in question since they have them all in one place

And I've edited the link to help avoid any confusion.

gbhil#AC says:

Thanks Phil!

wally#AC says:

Thanks for clearing up the confusion

dkmorgan says:

" And before any Apple fanatics get too cocky, at least these apps aren't stealing money from your Google checkout account."

There is a huge, huge, difference between having one's account password compromised and downloading a malicious program that was approved for the store/market.

gbhil#AC says:

We're not trying to start a witch-hunt, or promote anyone just yet. As a precaution, delete the apps. If Lookout is wrong, there's some 'splaining to do.

I'm no security expert, but I know how to "de-compile" Android apps. I have one of the apps in question sitting here, reading the code, and I see some things I don't like. Things like encrypted data being sent back and forth just to download a wallpaper...or funneling traffic through bit/ly. They could be innocent, but I think we need some answers on both sides.

One thing for everyone to remember is to never download these types of apps, wallpaper apps are just pointless because almost every time the actual images are of low quality anyways. You're better off just requesting someone to crop a image for you in the forums.

j_karlgaard says:

Am I wrong or is it supposed to be apps by jackeey?

shades#AC says:

If I'm not mistaken, Symbian provides such Information during installation of an app as well: scroll through the certificate information of an application.
Some apps request such permissions at runtime, and the process is completed with a system prompt of either allowing or denying. This applies for native and for j2me apps.

jshapiro says:

that's interesting. My credit card got swiped last week and the bank caught it right away. someone tried to buy airline tickets in mexico (not to Mexico, actually in Mexico). It was the same card I used in my Google account for the market and I have (had) 3D Wallpapers installed.. good riddance. there definitely needs to be some kind of screening process for applications. It seems all too easy to publish an app with access to unnecessary data being transmitted without the end users knowledge.. I am always wondering why a free game needs access to your call history or some such..

storm14k says:

Unless your credit card data is in your personal phone data I'm not seeing how this could have taken your number....unless I'm missing something about this article. And its impossible for an app to transmit data that you deem unnecessary without end user knowledge because when you install the app you are presented with all the permissions the app is asking for and asked to OK it BEFORE the app installs. So if you install a wallpaper app that has permissions to access your SMS data for instance then thats on you.

P00r says:

I use aSpotCat from the market, it list app by permission so you can remove the one who are too curious!

I found really suspicious the claim by this company about the app stealing voicemail password since AFAIK it is not stored anywhere on the phone... so this would need some kind of real time monitoring.

I guess we will need some kind of application firewall like to on our desktop soon... but I doubt lookout will be the one unless this story is real...

Problem is that you need to give more permission to the security app than to the actual malware...

nighthawk700 says:

Nice app, thanks for recommending it! Even if this report turns out to be nothing, still good to scan every once in a while.

bjordan says:

I agree! Thanks for mentioning the app. I was just recently wondering if there was an app that did just this.

MOE-GUNZ says:

Jackeey you slick son of a bitch lol

nemesys504 says:

Is it me or does every app say can not be used in china/firewall. What does that mean? It's ok to steal from everywhere else but china? I dont think so.

gabrielzorz says:

Wall paper apps are for 14 year old girls and losers. I personally don't buy any holsters, batteries, chargers, screen protectors, blue tooth devices unless they're made by Verizon or HTC--and only at the offical verison store (Costco Kiosksvneed not apply). oooohhhhhYYYYAAAAhhhhh...Thas right beshez, you hard it: I KEEP MY 'ISH JDM STYLE IN THIS HAWUSE!!!

pseudoelf says:

Verizon doesn't make any of that stuff. They buy it from others and brand it with the big V. I don't think VZW actually makes any direct costumer comodities. VZW branding isn't a proof of quality either.

gabrielzorz says:

All that matters is that it's branded with Verizon or HTC, that means its not aftermarket but manufacture made/endorsed...just like JDM. THAS RIGHT, YOU HEARD IT! JDM OG EQUIPMENT ONLY FOR MY DINC AND IT MAKES MY PHONE PERFORM BETTER AND FASTER. EVEN MY LITTLE TOWEL TO WIPE THE SCREEN IS EMBROIDERED WITH THE HTC LOGO. Oh yeah, google is allowed too!

dscribe says:

Starts with a statement about 14 year old girls and losers and then continues with...wow...all I can say is "wow." That was so mature.

mizmercer says:

I notice that you had an earlier article on changing your wallpaper, and someone suggested Backgrounds (your spam filter won't let me link to it), which I had on my phone.

I checked the permissions, and it does ask for web access (makes sense because that's where they are "storing" the wallpaper you browse to download), SD storage (when you apply the wallpaper it gets stored on your card), Phone state (maybe in case you get a call mid browse?), but also contacts, which I just couldn't figure out for the life of me, so I removed the app for now. Thoughts?

Paterick says:

I think Backgrounds needs access to contacts because it can set one of the backgrounds as a contact photo.

mizmercer says:

It seems like you really can't tell unless you do what Jerry(?) did, which is decompile the app, where he saw it was doing some fishy stuff. It wasn't the permissions that these rogue wallpaper apps had, but what they were doing with them.

bjordan says:

*edit* ... sigh .. apparently I can't comment on the correct thread to save my life ... comment deleted

pseudoelf says:

Blackberry pops up a warning that security settings will be changed and allows you to view AND EDIT them.
That is one thing that I miss from my Storm, the ability to deny an app a specific access rather than the all or nothing approach of Android along with the ability to edit them when and how I want.

(I also miss the multi-touch built into the OS. Such as to copy text from almost anywhere for pasting - touch the two ends of the the line of text you want and everything between your fingers is selected, works for selecting groups of files or emails too in order to delete, move, or edit them.) Pinch-to-zoom is nice, but it is only one feature of multi-touch not the whole thing. All the WinMo, iOS and Android people I showed it to were always impressed when I would select a group of email to delete or text for copy/pasting using multi-touch.

Though the better multi-touch support (sans pinch-to-zoom) isn't enough to bring me back to that slow and glitchy platform.

hint hint Google... bring us global copy/paste and multi-touch group selection options.... :) it's bothersome to have to switch browsers just to copy some text from a web-page.

Sorry off topic..
The user editable app permission access would be great. If I don't want an app to use the phone data I should be able to restrict it and still use the app if that isn't critical to the function.

UncleMike says:

Though I always review the permissions required by an Android app and won't install it if I'm not comfortable with the permissions required, the ability for the end-user to grant or deny permissions on a per-app basis would be welcomed. I had forgotten that my Blackberry (that I gave up abou 18 months ago) had this ability, but even my Nextel phones and Sprint phones had this ability.

Oletros says:

I have read the same story on Appleinsider but I thought that an Android site would check better the facts.Can anyone tell me how an app with READ_PHONE_STATE permissions can read SMS’s, browsing history, voice mail passwords et al?

Looking at androlib and Google Market the only strange permission is READ_PHONE_STATE and this permission is required for backward compatibility.And the number of downloads is between 50.000 and 250.000

fdossantos says:

C'mon guys and gals. Can we leave the fanboy bullshit out of the articles? Its bad enough that we gotta deal with the BS in the comments.

Jayshmay says:

So ????when???? is Google to take action on this? All these apps are still in the market. Someone was nice enough to warn people in the comments of the 3D Wallpapers app, even made mention of Android Central!

So I wonder when Google is going to respond!

mflynn says:

This is why google needs to add some management in the market place. No oversight leads to anarchy, and as the android platform gets more popular, the risk of malware increases, google cannot make it easy for them to publish these types of apps.

storm14k says:

Looking over each app isn't going to help you all that much. It only takes a few lines of code missed out of hundreds or thousands to sneak something in malicious. Its happened already on the wall gardened platform. They have already given you the tools to judge the threat level of an app yourself. You have all the permissions that the app is asking for presented to you before you install it. If you install a wallpaper app that can read your contacts then thats on you. If the dev doesn't explain why they need to do this and you think its fishy simply don't install the app.

dam5s says:

There is already a system to report an app as malware when uninstalling it. I don't know how it's used after. But I'm pretty sure Google will do something about it if the rate of users reporting the app is high enough.

"If, say, a calculator wants to see your contacts list, think twice."

I lol'd

P00r says:

I would be more scared by a calculator that want to place phone call...

The more I read about this story the LEAST I believe it, unfortunately the harm will be made to both android and this publisher.

If this security firm was genuine, they would know how android permission work and they would have contacted Google directly before making a show at some blackhat conference with 2 Apple logo right in front of them...

I am also concerned about their supposed scanner they request much more installation right than those wallpaper, that said if they have proof they better bring them to Google asap...

storm14k says:

I dunno....whats the deal with this Lookout company? From the article on Engadget it looks like they are just trying to cause security scares on BOTH Android and iOS.

hakoreh says:

so WHERE is this complete list? I can't find it? I want to look into my apps and see what "malicious" apps I am using.

bjordan says:

... edit ... sorry replied to the wrong comment

bjordan says:

I'll be following this to see where it goes. Fortunately I didn't have any of the apps installed. Also I'm pretty careful regarding what I install and he security warnings.

Is there a detailed breakdown anywhere of what those warnings mean? Most make sense. However some I'm not so clear.

bjordan says:

Well I found this write up which was useful. Has additional links at the bottom.

http://www.downloadsquad.com/2010/06/28/understanding-the-android-market...

Great link! Does a really good job of explaining the general principals. It's the particulars we're curious about here.

tagon says:

I am a little shocked this made it on to Android Central without a little fact checking.

I check a few of the apps in questions and each of them required the same permissions.

Storage: Modify/delete SD card comments
Of course this is needed in order to save the wallpaper

Your Location: Course (network based) location
Now I know this one seems odd but most if not all apps support by ads will have this so that the ads can be delivered to you that may be local.

Network communication: full internet access
Of course that is needed the images are online

Phone calls: read phone state and identity
All apps have this so they can go to the background when a call comes in.

Nothing in there can do anything that this company says it is doing. It does not have access to the stuff it says it is sending. That is not to say it has not been programmed to do it if the permissions are changed. Just be careful when updating an app that has permission changes.

lol. You really think we did all this without actually loading the app to see what it asked for? We've reported on the initial story, we've been in contact with the security company that raised the red flag, and we've been in contact with the developer -- who has since changed names on the app and promises "details later."

Anything else you think we should do before lunch? We're on top of this one.

tagon says:

Well since you are asking maybe you should update the article with what permissions the app has and how it makes it what the company is saying the app does not possible at this time.

Again I have not looked at the code so I am not saying it isn't coded to do more, but that rather what it currently does is not a big deal.

mizmercer says:

Phil, the most compelling part of this article and later discussion is where Ghilb (I'm guessing that's Jerry, sorry newb-me), discusses de-compiling the program and seeing some questionable stuff. I think given how some of these wallpaper programs are, they need more permissions than one would think, but this doesn't necessarily mean they are malicious.

Vigilance, and some more vetting would help. I'm wondering if some of the App Market portals like App Brain, Andro Lib, or other new ones, will fill that gap, or if Google will find itself forced into that role. It's defiantly needed.

BTW, to all those hating about wallpaper apps (hey those are just for 14 yo girls) isn't part of the beauty of Android being able to change your look? While I do put up some of my own cropped/edited it's nice to find other images out there, and I like the particular background program I use. Live wallpapers defiantly take it out of the DYI realm for most Android owners. I'm not a big "ring tone" gal myself, but I appreciate that some others really dig into that aspect of their phone.

P00r says:

First we had the AntenaGate, now the WallPaperGate.(both courtesy of apple ?)

I agree with previous poster, lookout app permission request seem more suspicious to me than those wallpaper... they probably used this scanner scam to gather data for their so called genome project...

I am not so sure scared user will click more on adsense ads...

UncleMike says:

Maybe I'm missing something (because I'm too old?), but wallpaper just sits there. Why would I want or need a wallpaper app?

tagon says:

The app has wallpaper for your phone...so to answer your question I don't know why anyone would need a wallpaper app ;)

sumyunguy says:

I just downloaded the Lookout app and interestingly, much of the same questionable access is requested by their app.

Permissions:
YOUR PERSONAL INFORMATION: add or modify calendar events and sen email to guests, read browsers history and bookmarks, read contact data, read owner data, read user defined dictionary, write browsers history and bookmarks, write contact data.

YOUR LOCATION: coarse (network-based) location, fine(gps) location

YOUR MESSAGES: edit SMS or MMS, read SMS or MMS, receive SMS

NETWORK COMMUNICATION:full internet access

YOUR ACCOUNTS: manage the accounts list

STORAGE: modify/delete SD card contents

HARDWARE CONTROLS: change your audio settings

PHONE CALLS: read phone state and identity

SYSTEM TOOLS: delete all application cache data, make application always run, modify global system settings, prevent phone from sleeping, read system log files, write sync settings

P00r says:

Indeed their app can do more damage than the actual threat they are pointing at... I also wonder HOW they gathered their data for their studies...

StuartV says:

"Android is the only OS that gives you these sort of warnings"

FAIL. Blackberry does it - and better.

D Evo says:

Take a look at the HTC battery application permissions...

xarophti says:

I prefer my own wallpapers, thank you.

Jayshmay says:

I noticed Google finally removed the apps in question.

Swavek says:

I'm no newbie to computers, technology or wonderful gadgets such as the android phones, but how can the general public trust android devices or understand such technical things as those permission warnings? i personally don't have issues with my moto droid or these permission warnings, but there's no way i'd expect my parents or sister to understand them or have a clue. it's unfortunate, but google will probably have to dumb the android system down and make it more secure in order to gain even wider acceptance.

P00r says:

As far as I know Android is based on Java and as such is quite secure...

either way I posted a thread on a forum hoping some serious FACT will come out of this story...

http://forum.xda-developers.com/showthread.php?t=739446

dannyl says:

As mentioned above, no PII (personally identifiable information) was transferred. Having said that - this is certainly an interesting sort of attack that has absolutely nothing to do with the programming language of the Android application - Java or Erlang or whatever.

As an expert, independent data security consultant operating in the mobile medical device space - I would recommend against keeping any PII and sensitive information on your phone. That is the best defense against pretexting/phishing and backdoor attacks of the sort described above.

Danny Lieberman
Data security experts

SoCalBohoGal says:

I just ran across an eBay app that has a "full network access" notice, amongst others. There's no reason ANY app would need to have that type of permission. I'm not sure this app is actually put out by eBay, although it did lead me to looking up the permissions info that lead me to this forum. There were FAR too many permissions that had me uncomfortable. Any good, app is only going to have permissions they need to function & allow others to function, and if free, perhaps some browser info or other app info.

Full network?