Android Wallpaper Apps Falsely Accused of Spyware and Stealing Sensitive User Data [FUD]

by Antonio Wells Jul 30, 2010 8:27 AM – 28 Comments

Wow! A recent VentureBeat article put the blogosphere and smartphone industry on its heels when a reported score of wallpaper Android apps were accused of being malicious. The wallpaper apps created by “jackeey,wallpaper” and “IceskYsl@1sters!” are indeed the same developer under separate accounts, and accused of sending private sensitive user data to servers in China to a website www.imnet.us. The worse part about all of this is no one, I mean no one fact checked accurately. VentureBeat, The Wall Street Journal, CNET, Fast Company, Fortune, PC World, Computerworld, Gizmodo, AppleInsider, etc. the list goes on and on and everybody jumped the gun in reporting the issue. No one asked the developer about it nor really looked into the methods Lookout used in building it’s report called the App Genome Project.

Update: Google Removes Suspension on Android Wallpaper Apps Falsely Accused of Spyware and Stealing Sensitive User Data

Quote from what VentureBeat reported that started all the Controversy

Update: Lookout notes it does not capture browsing history and text messages. It collects ~~your browsing history, text messages,~~ your phone number, subscriber identification, and even your voicemail ~~password~~, as long as it is programmed automatically into your phone. It sends the data to a web site, www.imnet.us. That site is evidently owned by someone in Shenzhen, China. The app has been downloaded anywhere from 1.1 million to 4.6 million times. The exact number isn’t known because the Android Market doesn’t offer precise data. The search through the data showed that Jackeey Wallpaper and another developer known as iceskysl@1sters! (which could possibly be the same developer, as they use similar code) were collecting personal data. The wallpaper app asks for permission to access your “phone calls,” but that isn’t necessarily a clear warning. While suspicious, Lookout says there isn’t evidence of malicious behavior.

Response from the Accused Developer

We had a chance to talk with the developer of the wallpaper apps in an exclusive interview first as no other resource had reached out to him at the time of the growing wildfire, his name is Jackeey Wu. Since the massive coverage Google has pulled all the wallpaper apps from both accounts pending further investigation. We would like to share our interview verbatim with the developer of the apps in response to all the media reports:

Hi, I noticed in venturebeat.com that the CEO of Lookout said that I have collected user’s data in my wallpaper apps.The data includes browsing history, text messages, phone’s SIM card number, subscriber identification, and even your voicemail password.
(http://mobile.venturebeat.com/2010/07/28/android-wallpaper-app-that-steals-your-data-was-downloaded-by-millions/)
I do not collect user data likes what the CEO of Lookout Said in venturebeat.com
He said that I have collected the text message, it is bullshit. We know that if a developer wants to collect text message, he must declare some android permissions (android.permission.READ_SMS, android.permission.RECEIVE_SMS, or android.permission.RECEIVE_MMS) firstly. And these permissions will be shown on the Android market security page and Application settings. We can see the following screen shortcut from android market, that I do not declare the permission in my applications (The right one). So my applications can’t collect user message absolutely.

In the news, it said I collected the browsing history in my applications, it makes no sense.
You can see the screen shortcut below. The “Browser” applications declare the permissions to read/write browsing history and bookmark. But in all my applications, I do not declare that permissions to collect these user‘s data.

Other wallpaper application collected more data.
Please look out the most popular wallpaper apps i.e. “Background”. That application required 8 permissions. My applications just required 5 permissions to make the app run well, and all of these permissions have been contained by “Background”.
In my applications I collected some device data, not user data.
I collected the screen size to return more suitable wallpaper for the phone. More and More users emailed me telling that they love my wallpaper apps so much, because that even “Background” can’t well suited the phone’s screen.
I also collected device id,phone number and subscriber id, it has no relationship with user data. There are few apps in Android market has the favorites feature. Many users suggest that I should provide the feature so I use the these to identify the device, so they can favorite the wallpapers more conveniently, and resume his favorites after system resetting or changing the phone.

I am just an Android developer, I love wallpapers and I use different wallpaper every day. All I want is to make the greatest Android apps.

I am wondering why the the ceo of Lookout or the Author of venturebeat.com attacks me and make irresponsible points.

Lookout’s Update About Wallpaper Apps

For obvious reasons Lookout could not respond to my questions at the time of researching this issue but have published technical details in an update on their blog stating:

While the data this app is accessing is certainly suspicious coming from a wallpaper app, we want to be clear that there is no evidence of malicious behavior. There have been cases in the past where applications are simply a little overzealous in their data gathering practices, but not because of any ill intent.

(Update: 3:00pm CDT 7/30/10. I was able to personally speak with Erika Shaffer, PR for Lookout to give their statement about what they said and demonstrated at Blackhat 2010)

Lookout didn’t retract anything. When we saw the misinformation being spread we posted as soon as we could a complete post on what we had found about these apps. That they were transmitting the phone number, subscriber ID and voicemail phone number to a server owned by the developer. We said that in the presentation on Wednesday.

(Update: 6:14pm CDT 7/30/10. I had a personal conversation in addition to email correspondence with Lookout’s CEO John Hering to give his statement regarding what they said and the research demonstrated)

This makes it clear that there was some initial misreporting of our research, though we want to be clear that we never said that the wallpaper apps were malicious and we never claimed that the apps gathered more than the data we disclose in our blog post (e.g. subscriber id, phone number, voicemail password). We’ve been working around the clock to make sure everyone gets it right.

…

Thanks again for taking the time to chat. As I mentioned when we spoke, our goal is to help make users and developers alike more aware of what is happening in the world of mobile apps to ensure a safe mobile experience. Please feel free to give me a call if you want to talk.

In my phone conversation with Hering, he brought up a good point about what their research could reveal about potential harms of sensitive user data being leaked. Recalling his example, if a user is in a coffee shop over unsecured Wifi and an app is transmitting data like phone numbers and voicemail passwords unencrypted in clear text; a potential hazard could be if a malicious hacker is sniffing that data transmission retrieving the information. Their research is to make mobile app developers more aware of possible inadvertent and/or unsecured sensitive data transmission that users obviously wouldn’t know about.

My Preliminary Conclusion

True all users should indeed be aware of what they are installing from the Android Market. True the openness of the Android Market are its strengths and weakness as something like this could be exploited. In this particular instance… it may not be the case, especially for what seems like a developer trying to improve his app by grabbing device data to make a “favorites” feature in-app. Maybe his approach was suspicious and overzealous as Lookout corrected, but was the mass negative press without covering the complete story warranted???

I believe Lookout’s reassessment should have been issued in the beginning versus retroactively clarifying; it makes me question their app security scanning and protection features of Lookout Mobile Security. Hopefully Google’s investigation will put a final ruling to this.

I’ve leave you with these 3 words… Fear, Uncertainty, and Doubt!

Tags: Android App, Android App Data Security, False Accusations, Fear Uncertainty Doubt, FUD, IceskYsl@1sters!, jackeey wallpaper, Jackeey Wu, Lookout Mobile Security, Malicious Android Apps, Spyware Android Apps, Wallpaper Apps

Categorised in: Apps Blog, Featured, News

28 Comments

By Tim on July 30, 2010 at 9:02 am:

The thing that I found amazing about so many of these ‘news’ reports was that they all made this huge deal about this rogue app, but of the ones I read, none of them would tell you what app it was so you could avoid it (or so you could see if it was installed on your Android). It was just a bunch of stories to make you afraid of your phone without even giving you the courtesy of telling you what app was causing the supposed problem.

Reply
By Ivan on July 30, 2010 at 11:03 am:

Bravo, and thanks for this article. I must admit that while I was confused for a moment when I did not see any sms-related permissions on that app while reading the Lookout report, I still took their word for granted. Next time we all have to be more cautious and less hysterical.

Reply
By Sam on July 30, 2010 at 11:35 am:

Maybe we should be promoting Lookout Mobile Security more since they caught it!

Reply
By Ryan on July 30, 2010 at 1:51 pm:

Its really too bad report without verification happens so much recently. The problem with this is the original story got prime time coverage with things like WSJ and yahoo!; the correction on the other hand will get buried ten pages in and will be in fine print. The damage has been done, and most people will never get the truth.

Reply
By JDT on July 30, 2010 at 1:52 pm:

“I also collected device id,phone number and subscriber id, it has no relationship with user data”
A- how is this not in relationship with user data? Seems to me that decive id, PHONE NUMBER, and subscriber id are user data.
B- why does he have to collect this information to provide favorites for his wallpaper application?

Reply
By foebea on July 30, 2010 at 1:54 pm:

Fantastic article, Thanks! I have spread this to the places where I have seen the lookout paper.

Reply
- By Ryan on July 30, 2010 at 2:21 pm:
  
  If a wall paper app is requesting more than usual permissions, just don’t download it. It is really up to the end user to look at what permissions the app they are downloading wants to access.
  
  Many times, free apps use the internet permission because their app uses advertisements. Also, there is nothing wrong with grabbing device data. The developer wants to know screen sizes so he can deliver better wallpaper options.
  
  Reply
By Dan Dilger on July 30, 2010 at 2:47 pm:

So apps that take private user data and send it to China are okay on Android, and any critique of the security-free Android model is “FUD”?

What about widespread malware that has existed in the Android Marketplace for months? Or that fact that the hobbyist market is creating massive amounts of junk, like this “wallpapers” app. Or that even primary Android developers like DoubleTwist’s DVD Jon are calling out Google for sloppy management of its apps store, allowing gross copyright infringement and essentially doing for apps what Google did for spam sites on the web.

Right, the real story is that Sarah Palin is being persecuted, not that she’s incompetent. And by Palin I mean Android.

Reply
By Spencer on July 30, 2010 at 5:06 pm:

Hi Antonio,
I agree that many blogs blew the story out of proportion, and got some key facts wrong. But you are wrong to include the Wall Street Journal in your post, and kindly request that you remove our publication from the post.

If you read the WSJ blog post carefully you would see that we never accused the developer of malicious behavior, nor did we report that the app “stole” text messages and browsing history. We wrote that the apps “were found to be collecting phone numbers and other personal information, including the IMSI number that identifies a cellphone subscriber. The apps also transmitted sensitive data unencrypted to a server.”

Moreover, we noted that the developer actually notified users it would be accessing some of this data. To me, this was not a story about malware but more an opportunity to highlight “the growing threats to privacy posed by the explosion of wireless apps, as well as the different privacy models of wireless app store providers such as Google and Apple.”

Kudos to you for tracking down the elusive jackeey. I could not find a way to contact him under my deadline. Did you ask him why he is collecting this data?

That’s what I and others want to know. There doesn’t seem to be a reason for him to collect this data. So that raises some questions for me.

best,
Spencer Ante
Wall Street Journal

Reply
By bob on July 30, 2010 at 5:46 pm:

I have a serious question. So you ASKED the developer and hes not collecting the data. ok fine. You cant say that suspicious permissions are ok. If you give an app access to those things, you cannot complain about stolen data. And whether or not anyone believes the developer its irrelevant he has full access to the data and can do what he pleases with it.

And anyone who allows a wallpaper access to that stuff is a damned idiot.

Reply
By bob on July 30, 2010 at 5:52 pm:

Also this points to a problem with the android security model. Security should be based on not just the data but its usage. You say oh they want device settings for screen size? Then why isnt that a discrete API?

Reply
By @JoeHobot on July 30, 2010 at 5:54 pm:

Ok tell me this from your “chat” with the developer “being falsely accused”

Him self wrote/said:

“I also collected device id,phone number and subscriber id, it has no relationship with user data.”

How the hell is that not breach of data?
Why the hell is he needing phone numbers to “collect”?

What phone numbers is he taking off the phone if not users “data”?

Dude pretty much admitted in your article that he is collecting data…

Ok venturebeat went bit overboard , and other blogs that just quick copied the articles did same thing… but they were not much away from the truth and MyLookout too.

Reply
By Greg Johnson on July 30, 2010 at 7:08 pm:

http://www.geek.com/articles/mobile/defcon-hackers-release-android-rootkit-total-control-of-smartphone-possible-20100730/

Reply
By DaveIsAwesome on July 30, 2010 at 8:52 pm:

Looks like Android Central was able to get a hold of the developer too and he answered a few more questions.
http://www.androidcentral.com/android-privacy-concern-lookout-response#comment-52719

Reply
By Merick on July 31, 2010 at 3:45 am:

Good job on this! Glad to see someone took the time to check the facts.

I really think this entire thing was intentional on Lookout’s part, their whole goal was to get PR from this at the expense of the developer they targeted. The fact that Lookout did not even attempt to contact the developer is irresponsible and just plain shitty.

What you should do is post what the Lookout application has access to. I installed their app and noticed that IT HAS ACCESS TO YOUR BROWSER HISTORY AND BOOKMARKS, as well as contacts, phone data, even your calendar. So here they are claiming an application has access to things, but their application has access to even more and what is more uploads it to a server and from what I can tell it is not encrypted.

Reply
By archboy on July 31, 2010 at 11:48 am:

Personally, I think this app and all these wallpaper is crapware anyways.

There’s no reason for me to download these apps in the first place. If I need a wallpaper for my phone I go and find the wallpaper that I like and PUT in onto my phone for my use.

Reply
By Michael on July 31, 2010 at 12:23 pm:

Thanks for the clarification and followup. I thought the original report, instigated by a firm that would surely profit from it, had a bad smell.

Is there any place that maintains a list of firms that use FUD as a strategy so that we may boycott them???

Reply
By Neroon on July 31, 2010 at 7:54 pm:

Stupidest defense of data theft I have ever seen. It amounts to: “Android Users give us permission to steal their data, and others steal more data so that makes what we do ok”. Could this be any more clueless? Have fun with your Android Hackphones.

Reply
By Merick on August 1, 2010 at 12:24 am:

This isn’t the first time these guys pulled FUD, watch this video and count how many times they say “terrorist” and “targetted attacks at Americans”.

http://www.youtube.com/watch?v=-XXaqraF7pI

Reply
By Bobby Fletcher on August 1, 2010 at 11:31 pm:

So easy to wave the “blame China” flag, and everybody indoctrinated to see China as our enemy just swallow stories like this hook line sinker.

Reply
By DC on August 2, 2010 at 12:19 pm:

I have no interest in downloading wallpapers from an app. Kudos to you for reaching out to the developer and getting his side of the story. He obviously does not know what user data is. Why does he need the phone #?

I guess most people do not read reviews of apps before installing on their devices.

Reply
By Charles Liu on August 4, 2010 at 4:50 pm:

Google Market has declared the app safe and reinstated it.

But I have this feeling, just like all the other bogus “blame China” story, there will be no parity in effort to undo the damage. Just them commie ch!nks, who cares?

Reply