Update 2: Please see our follow-up – the developer of the app in question has denied malicious intent. Mobile security firm Lookout announced today at the Black Hat security conference that millions of Android users had downloaded a wallpaper app that sends user information to a unknown site in China, reported VentureBeat. Concerns about app access to private information were raised last month, but this may be the first instance of Android malware in the wild. Android’s enterprise-readiness has been controversial in analyst circles. Update: Lookout contacted us with the following clarification:
The app does not actually steal users SIM card numbers or voicemail passwords. Instead, the app transmits the device’s phone number, subscriber identifier (e.g. IMSI), and the currently entered voicemail number on the phone. This is an important distinction for Lookout, because they did not technically find that the app was doing anything malicious. It is certainly suspicious, but it is important to clear up that they did not actually steal info like voicemail passwords.
The app, Jackeey Wallpaper, transmits a users’ SIM card number, subscriber identification, and, if it’s been programmed into the phone, voicemail password to www.imnet.us, a web site owned by someone in Shenzhen, China. It had been reported that the app also collected browsing history and text messages, but Lookout has clarified that this is not correct.
The app asks permission to access users phone calls, but does not disclose that the information would be sent to a third-party. Lookout found the app as part of its App Genome Project, an ambitious project to track the behavior of 300,000 applications.
Lookout may also be announcing other Android security risks at the conference.
Another mobile security company, Smobile Systems warned against this very scenario last month in a report titled Threat Analysis in the Android Market.
Analysts have been split over the enterprise-readiness of Android 2.2. Jack Gold, of J. Gold Associates, has argued that the lack of support for enterprises to manage what apps users install on their Android handsets should be one of many deal-breakers for Android adoption in the enterprise. This would seem to validate his claims.
Perhaps in response to the Smobile report, Google released a kill switch function to remotely delete malicious applications. The company hasn’t announced whether Jackeey Wallpaper has been scheduled for termination.