The details of Android mobile phone users were collected, after more than 80 wallpaper applications harvested numbers and personal details.
According to security firm Lookout, the apps transmitted unencrypted sensitive data back to remote servers and in one instance, sent data back to China. In a presentation at last week's Black Hat conference in Las Vegas, Nevada, CTO Kevin Mahaffey said that he had found a series of wallpaper applications in the Android Market that were gathering ‘seemingly unnecessary data'.
He said: “The wallpaper applications that we analysed transmitted several pieces of sensitive data to a server over an unencrypted network connection. The data included the device's phone number, subscriber identifier (e.g. IMSI) and the currently entered voicemail number on the phone (see below for technical details).
"While this sort of data collection from a wallpaper application is certainly suspicious, there's no evidence of malicious behaviour. There have been cases in the past on other mobile platforms where well-intentioned developers are simply overzealous in their data gathering, without having malicious intent.”
He pointed out that there is code in the wallpaper applications that access sensitive data, and not all applications that access sensitive data actually transmit it off the device.
He said: “In order to see what sort of information the wallpaper applications transmit to the internet, we analysed the network traffic generated by the application. When we used the application, one request in particular stood out, an unencrypted HTTP request to a server named ‘imnet.us'.
“While the data this app is accessing is certainly suspicious coming from a wallpaper app, we want to be clear that there is no evidence of malicious behaviour. There have been cases in the past where applications are simply a little overzealous in their data gathering practices, but not because of any ill intent. We've been working with Google to investigate these apps and they're on top of it.”
Commenting, Simeon Coney, VP of business development and strategy at AdaptiveMobile, said that this revelation was a call for organisations in the mobile sector to tighten controls and policies to ensure personal data is protected.
He said: “Unfortunately, malicious applications that are designed to extract data look genuine and the vast majority of users are unaware that it could pose a risk. Once the app is active on the handset, any data being harvested will almost always occur in the background without the user ever being alerted.
“The reality is there is often no easy way for users to identify whether apps are potentially malicious or not. Responsibility primarily lies with the developers and the app stores, but mobile operators are increasingly providing ‘clean internet' services that also safeguard users against malicious applications. These network-level defences enable operators to identify threats and block breaches early, and without needing subscribers to update handset applications.”
Coney echoed recent claims made by Veracode CTO Chris Wysopal. He said that with the increasing use of embedded advertising in applications, new risks are introduced on advert web click-through and automatic call dialling.
“With the surge in sales of smartphones and other 3G-enabled devices, there are hundreds of thousands of users accessing app stores every day - and the apps they are downloading are increasingly designed to exchange data with the internet. In the early days of mass-market PC adoption, users had to be educated on the potential security risks they may face online. The same is now true for the mobile world. Only when users are made aware of potential security issues, will they be armed with enough knowledge to avoid putting themselves at risk,” said Coney.