Trending Content: 300+ Best App Reviews 2011 Android Outlook SyncBest Android Tablet Apps Best Android Apps Android App Store Best Android Phones
![Android Wallpaper Apps Falsely Accused of Spyware and Stealing Sensitive User Data [FUD]](http://cdn.androidtapp.com/wp-content/uploads/2010/07/Android-Wallpaper-Apps-Falsely-Accused-of-Spyware-and-Stealing-Sensitive-User-Data-FUD.jpg)
Wow! A recent VentureBeat article put the blogosphere and smartphone industry on its heels when a reported score of wallpaper Android apps were accused of being malicious. The wallpaper apps created by “jackeey,wallpaper” and “IceskYsl@1sters!” are indeed the same developer under separate accounts, and accused of sending private sensitive user data to servers in China to a website www.imnet.us. The worse part about all of this is no one, I mean no one fact checked accurately. VentureBeat, The Wall Street Journal, CNET, Fast Company, Fortune, PC World, Computerworld, Gizmodo, AppleInsider, etc. the list goes on and on and everybody jumped the gun in reporting the issue. No one asked the developer about it nor really looked into the methods Lookout used in building it’s report called the App Genome Project.
Update: Lookout notes it does not capture browsing history and text messages. It collects
your browsing history, text messages,your phone number, subscriber identification, and even your voicemailpassword, as long as it is programmed automatically into your phone. It sends the data to a web site, www.imnet.us. That site is evidently owned by someone in Shenzhen, China. The app has been downloaded anywhere from 1.1 million to 4.6 million times. The exact number isn’t known because the Android Market doesn’t offer precise data. The search through the data showed that Jackeey Wallpaper and another developer known as iceskysl@1sters! (which could possibly be the same developer, as they use similar code) were collecting personal data. The wallpaper app asks for permission to access your “phone calls,” but that isn’t necessarily a clear warning. While suspicious, Lookout says there isn’t evidence of malicious behavior.
We had a chance to talk with the developer of the wallpaper apps in an exclusive interview first as no other resource had reached out to him at the time of the growing wildfire, his name is Jackeey Wu. Since the massive coverage Google has pulled all the wallpaper apps from both accounts pending further investigation. We would like to share our interview verbatim with the developer of the apps in response to all the media reports:
Hi, I noticed in venturebeat.com that the CEO of Lookout said that I have collected user’s data in my wallpaper apps.The data includes browsing history, text messages, phone’s SIM card number, subscriber identification, and even your voicemail password.
(http://mobile.venturebeat.com/2010/07/28/android-wallpaper-app-that-steals-your-data-was-downloaded-by-millions/)
I do not collect user data likes what the CEO of Lookout Said in venturebeat.com
He said that I have collected the text message, it is bullshit. We know that if a developer wants to collect text message, he must declare some android permissions (android.permission.READ_SMS, android.permission.RECEIVE_SMS, or android.permission.RECEIVE_MMS) firstly. And these permissions will be shown on the Android market security page and Application settings. We can see the following screen shortcut from android market, that I do not declare the permission in my applications (The right one). So my applications can’t collect user message absolutely.In the news, it said I collected the browsing history in my applications, it makes no sense.
You can see the screen shortcut below. The “Browser” applications declare the permissions to read/write browsing history and bookmark. But in all my applications, I do not declare that permissions to collect these user‘s data.Other wallpaper application collected more data.
Please look out the most popular wallpaper apps i.e. “Background”. That application required 8 permissions. My applications just required 5 permissions to make the app run well, and all of these permissions have been contained by “Background”.
In my applications I collected some device data, not user data.
I collected the screen size to return more suitable wallpaper for the phone. More and More users emailed me telling that they love my wallpaper apps so much, because that even “Background” can’t well suited the phone’s screen.
I also collected device id,phone number and subscriber id, it has no relationship with user data. There are few apps in Android market has the favorites feature. Many users suggest that I should provide the feature so I use the these to identify the device, so they can favorite the wallpapers more conveniently, and resume his favorites after system resetting or changing the phone.I am just an Android developer, I love wallpapers and I use different wallpaper every day. All I want is to make the greatest Android apps.
I am wondering why the the ceo of Lookout or the Author of venturebeat.com attacks me and make irresponsible points.
For obvious reasons Lookout could not respond to my questions at the time of researching this issue but have published technical details in an update on their blog stating:
While the data this app is accessing is certainly suspicious coming from a wallpaper app, we want to be clear that there is no evidence of malicious behavior. There have been cases in the past where applications are simply a little overzealous in their data gathering practices, but not because of any ill intent.
(Update: 3:00pm CDT 7/30/10. I was able to personally speak with Erika Shaffer, PR for Lookout to give their statement about what they said and demonstrated at Blackhat 2010)
Lookout didn’t retract anything. When we saw the misinformation being spread we posted as soon as we could a complete post on what we had found about these apps. That they were transmitting the phone number, subscriber ID and voicemail phone number to a server owned by the developer. We said that in the presentation on Wednesday.
(Update: 6:14pm CDT 7/30/10. I had a personal conversation in addition to email correspondence with Lookout’s CEO John Hering to give his statement regarding what they said and the research demonstrated)
This makes it clear that there was some initial misreporting of our research, though we want to be clear that we never said that the wallpaper apps were malicious and we never claimed that the apps gathered more than the data we disclose in our blog post (e.g. subscriber id, phone number, voicemail password). We’ve been working around the clock to make sure everyone gets it right.
…
Thanks again for taking the time to chat. As I mentioned when we spoke, our goal is to help make users and developers alike more aware of what is happening in the world of mobile apps to ensure a safe mobile experience. Please feel free to give me a call if you want to talk.
In my phone conversation with Hering, he brought up a good point about what their research could reveal about potential harms of sensitive user data being leaked. Recalling his example, if a user is in a coffee shop over unsecured Wifi and an app is transmitting data like phone numbers and voicemail passwords unencrypted in clear text; a potential hazard could be if a malicious hacker is sniffing that data transmission retrieving the information. Their research is to make mobile app developers more aware of possible inadvertent and/or unsecured sensitive data transmission that users obviously wouldn’t know about.
True all users should indeed be aware of what they are installing from the Android Market. True the openness of the Android Market are its strengths and weakness as something like this could be exploited. In this particular instance… it may not be the case, especially for what seems like a developer trying to improve his app by grabbing device data to make a “favorites” feature in-app. Maybe his approach was suspicious and overzealous as Lookout corrected, but was the mass negative press without covering the complete story warranted???
I believe Lookout’s reassessment should have been issued in the beginning versus retroactively clarifying; it makes me question their app security scanning and protection features of Lookout Mobile Security. Hopefully Google’s investigation will put a final ruling to this.
I’ve leave you with these 3 words… Fear, Uncertainty, and Doubt!
Updating...[...] itself says there have been more similiar cases. Meanwhile, the developer of this wallpaper app responded to these accusations by declining all reports with some shown [...]
[...] do not collect user data likes what the CEO of Lookout Said in venturebeat.com Source [...]
[...] was all over the web this weekend. Not surprisingly, the backlash has begun. Antonio Wells at AndroidTapp declared the initial reports on the vulnerability and malwear to be FUD and contacted the Chinese [...]
[...] o całą sprawę twórcy tych aplikacji. Nikt mu nie dał szansy na odparcie tego ataku. Nikt poza http://www.androidtapp.com. Zamieścili oni wywiad z osobą, która pisała omawiane aplikacje.Jak można wyczytać z wywiadu, [...]
[...] sure who to believe on this one: Android Wallpaper Apps Falsely Accused of Spyware and Stealing Sensitive User Data [FUD] | Android T… This all may have been FUD by a security vendor who has monetary reasons to find things like this [...]
[...] It turns out that the developer, Jackeey Wu, was just collecting a unique identifier to enable users to keep favorites and settings after wiping their phone or on a new phone. Despite the fact that this was an unwise way to implement this feature, there was apparently no malicious intent. After a suspension from the Market so that Google could investigate, the apps have been reinstated. [...]
FlightView Flight Tracking App for Android
http://www.youtube.com/watch?v=qtH2nO1bUTE http://www.youtube.com/watch?v=qtH2nO1bUTE FlightView released their popular flight tracking application for Android which is already on iPhone, Blackberry and Palm mobile smartphone platforms. The ...
The thing that I found amazing about so many of these ‘news’ reports was that they all made this huge deal about this rogue app, but of the ones I read, none of them would tell you what app it was so you could avoid it (or so you could see if it was installed on your Android). It was just a bunch of stories to make you afraid of your phone without even giving you the courtesy of telling you what app was causing the supposed problem.
Bravo, and thanks for this article. I must admit that while I was confused for a moment when I did not see any sms-related permissions on that app while reading the Lookout report, I still took their word for granted. Next time we all have to be more cautious and less hysterical.
Maybe we should be promoting Lookout Mobile Security more since they caught it!
Its really too bad report without verification happens so much recently. The problem with this is the original story got prime time coverage with things like WSJ and yahoo!; the correction on the other hand will get buried ten pages in and will be in fine print. The damage has been done, and most people will never get the truth.
“I also collected device id,phone number and subscriber id, it has no relationship with user data”
A- how is this not in relationship with user data? Seems to me that decive id, PHONE NUMBER, and subscriber id are user data.
B- why does he have to collect this information to provide favorites for his wallpaper application?
Fantastic article, Thanks! I have spread this to the places where I have seen the lookout paper.
If a wall paper app is requesting more than usual permissions, just don’t download it. It is really up to the end user to look at what permissions the app they are downloading wants to access.
Many times, free apps use the internet permission because their app uses advertisements. Also, there is nothing wrong with grabbing device data. The developer wants to know screen sizes so he can deliver better wallpaper options.
So apps that take private user data and send it to China are okay on Android, and any critique of the security-free Android model is “FUD”?
What about widespread malware that has existed in the Android Marketplace for months? Or that fact that the hobbyist market is creating massive amounts of junk, like this “wallpapers” app. Or that even primary Android developers like DoubleTwist’s DVD Jon are calling out Google for sloppy management of its apps store, allowing gross copyright infringement and essentially doing for apps what Google did for spam sites on the web.
Right, the real story is that Sarah Palin is being persecuted, not that she’s incompetent. And by Palin I mean Android.
Hi Antonio,
I agree that many blogs blew the story out of proportion, and got some key facts wrong. But you are wrong to include the Wall Street Journal in your post, and kindly request that you remove our publication from the post.
If you read the WSJ blog post carefully you would see that we never accused the developer of malicious behavior, nor did we report that the app “stole” text messages and browsing history. We wrote that the apps “were found to be collecting phone numbers and other personal information, including the IMSI number that identifies a cellphone subscriber. The apps also transmitted sensitive data unencrypted to a server.”
Moreover, we noted that the developer actually notified users it would be accessing some of this data. To me, this was not a story about malware but more an opportunity to highlight “the growing threats to privacy posed by the explosion of wireless apps, as well as the different privacy models of wireless app store providers such as Google and Apple.”
Kudos to you for tracking down the elusive jackeey. I could not find a way to contact him under my deadline. Did you ask him why he is collecting this data?
That’s what I and others want to know. There doesn’t seem to be a reason for him to collect this data. So that raises some questions for me.
best,
Spencer Ante
Wall Street Journal
I have a serious question. So you ASKED the developer and hes not collecting the data. ok fine. You cant say that suspicious permissions are ok. If you give an app access to those things, you cannot complain about stolen data. And whether or not anyone believes the developer its irrelevant he has full access to the data and can do what he pleases with it.
And anyone who allows a wallpaper access to that stuff is a damned idiot.
Also this points to a problem with the android security model. Security should be based on not just the data but its usage. You say oh they want device settings for screen size? Then why isnt that a discrete API?
Ok tell me this from your “chat” with the developer “being falsely accused”
Him self wrote/said:
“I also collected device id,phone number and subscriber id, it has no relationship with user data.”
How the hell is that not breach of data?
Why the hell is he needing phone numbers to “collect”?
What phone numbers is he taking off the phone if not users “data”?
Dude pretty much admitted in your article that he is collecting data…
Ok venturebeat went bit overboard , and other blogs that just quick copied the articles did same thing… but they were not much away from the truth and MyLookout too.
http://www.geek.com/articles/mobile/defcon-hackers-release-android-rootkit-total-control-of-smartphone-possible-20100730/
Looks like Android Central was able to get a hold of the developer too and he answered a few more questions.
http://www.androidcentral.com/android-privacy-concern-lookout-response#comment-52719
Good job on this! Glad to see someone took the time to check the facts.
I really think this entire thing was intentional on Lookout’s part, their whole goal was to get PR from this at the expense of the developer they targeted. The fact that Lookout did not even attempt to contact the developer is irresponsible and just plain shitty.
What you should do is post what the Lookout application has access to. I installed their app and noticed that IT HAS ACCESS TO YOUR BROWSER HISTORY AND BOOKMARKS, as well as contacts, phone data, even your calendar. So here they are claiming an application has access to things, but their application has access to even more and what is more uploads it to a server and from what I can tell it is not encrypted.
Personally, I think this app and all these wallpaper is crapware anyways.
There’s no reason for me to download these apps in the first place. If I need a wallpaper for my phone I go and find the wallpaper that I like and PUT in onto my phone for my use.
Thanks for the clarification and followup. I thought the original report, instigated by a firm that would surely profit from it, had a bad smell.
Is there any place that maintains a list of firms that use FUD as a strategy so that we may boycott them???
Stupidest defense of data theft I have ever seen. It amounts to: “Android Users give us permission to steal their data, and others steal more data so that makes what we do ok”. Could this be any more clueless? Have fun with your Android Hackphones.
This isn’t the first time these guys pulled FUD, watch this video and count how many times they say “terrorist” and “targetted attacks at Americans”.
http://www.youtube.com/watch?v=-XXaqraF7pI
So easy to wave the “blame China” flag, and everybody indoctrinated to see China as our enemy just swallow stories like this hook line sinker.
I have no interest in downloading wallpapers from an app. Kudos to you for reaching out to the developer and getting his side of the story. He obviously does not know what user data is. Why does he need the phone #?
I guess most people do not read reviews of apps before installing on their devices.
Google Market has declared the app safe and reinstated it.
But I have this feeling, just like all the other bogus “blame China” story, there will be no parity in effort to undo the damage. Just them commie ch!nks, who cares?