Free Android apps scrape personal data, send it to China

Millions have downloaded ‘suspicious’ wallpaper apps, says mobile security firm

Between one and four million users of Android phones have downloaded wallpaper apps that swipe personal data from the phone and transmit it to a Chinese-owned server, a mobile security firm said today.

According to San Francisco-based Lookout, a large number of free wallpaper apps in the Android Market scrape the phone number; the user-specific subscriber identifier, also know as the IMSI (International Mobile Subscriber Identity); the phone’s SIM card’s serial number; and the currently-entered voicemail number from the phone.

That information is then transmitted to a server that Internet records show is registered to a resident of Shenzhen, a city in China’s Guangdong province, just north of Hong Kong.

Over 80 wallpaper apps created by a pair of developers — "callmejack" and "IceskYsl@1sters!" — include code that accesses users’ personal data, said Kevin Mahaffey, chief technology officer and a co-founder of Lookout.

"All that is sent to a Chinese server in clear text," said Mahaffey in an interview prior to Black Hat, where he and CEO John Hering presented findings of what the company called the "App Genome Project," an attempt to analyze the code of some 300,000 applications available in the Android Market and Apple’s iPhone App Store.

In a Friday entry on Lookout’s blog, Mahaffrey published pieces of the data-scraping code found in the wallpaper apps, as well as an example of the HTML request made to the Chinese server by those programs.

ComputerWorld

Leave a Reply