Thursday, July 29, 2010

Mobile threats?

Damn! I knew I should have attended Blackhat this year!!

------------------------------------------------------------------------------------------

"It collects your browsing history, text messages, your
phone's SIM card number, subscriber identification,
and even your voicemail password." -
mobile.venturebeat.com

http://mobile.venturebeat.com/2010/07/28/android-wallpaper-
app-that-steals-your-data-was-downloaded-by-millions/

questionable Android mobile wallpaper app that collects
your personal data and sends it to a mysterious site in
China, has been downloaded millions of times, according to
unearthed by mobile security firm Lookout.

That means that apps that seem good but are really
stealing your personal information are a big risk at a time
when mobile apps are exploding on smartphones, said John
Hering, chief executive, and Kevin MaHaffey, chief
technology officer at Lookout, in their talk at the Black Hat security
conference in Las Vegas today.

"Even good apps can be modified to turn bad after a lot
of people download it," MaHaffey said. "Users absolutely
have to pay attention to what they download. And developers
have to be responsible about the data that they
collect and how they use it."

The app in question came from Jackeey Wallpaper, and
was uploaded to the Android Market, where users can download
it and use it to decorate their phones that run the Google
Android operating system. It includes branded
wallpapers from My Little Pony and Star Wars, to
name just a couple.

It collects your browsing history, text messages,
your phone's SIM card number, subscriber identification,
and even your voicemail password. Itsends the data to a web site,
www.imnet.us. That site is evidently owned by
someone in Shenzhen, China. The app has been downloaded
anywhere from 1.1 million to 4.6 million times.
The exact number isn't known because the
Android Market doesn't offer precise data. The search
through the data showed that Jackeey Wallpaper and
another developer known as iceskysl@1sters! (which
could possibly be the same developer, as they use
similar code) were collecting personal data. The wallpaper
app asks for "phone info," but that isn't necessarily a clear warning.

The Lookout executives found the questionable app
as part of their App Genome Project. Lookout is a mobile
security firm, and it logged data from
more than 100,000 free Android and iPhone apps as part
of the project to analyze how apps behave. It found that the
apps access your personal data quite often. On Android, each
user is asked if they give their permission to access an app,
but on the iPhone, where Apple approves apps, no permission
is needed.

Roughly 47 percent of Android apps access some kind
of third-party code, while 23 percent of iPhone apps do.
The executives also found that many apps use third-party
software programs to do things such as feed ads into an app.
Often, developers unquestioningly use the software
development kits of those third parties in their apps,
even if they don't know what they do. In many
cases, there is a good reason for the use of personal information.
Ads, for instance, can be better targeted if the app knows a
user's location.

Hering said in a press conference afterward that he
believes both Google and Apple are on top of policing their
app stores, particularly when there are
known malware problems with apps. But it's unclear what
happens when apps behave as the wallpaper apps do,
where it's not clear why they are doing
what they are doing.