Researchers find 80 Android wallpaper apps that harvest sensitive data

[Ian]

According to researchers from Black Hat USA 2010 say they found 80 Android wallpaper applications that harvest sensitive data, which, of course, wallpaper applications don't need.

"The wallpaper applications that we analyzed transmitted several pieces of sensitive data to a server over an unencrypted network connection. The data included the device's phone number, subscriber identifier (e.g. IMSI), and the currently entered voicemail number on the phone," Lookout CTO Kevin Mahaffey said today. "While this sort of data collection from a wallpaper application is certainly suspicious, there's no evidence of malicious behavior. There have been cases in the past on other mobile platforms where well-intentioned developers are simply over-zealous in their data gathering, without having malicious intent."

The group found more than 80 wallpaper apps that did this, and they all traced back to two developers "Jackeey" and "wallpaper," both of whom have since changed their names. The various apps are estimated to have been downloaded between one and four million times.

There's a good chance you have downloaded one if you're an Android user.

"While the data this app is accessing is certainly suspicious coming from a wallpaper app, we want to be clear that there is no evidence of malicious behavior," Mahaffey said today. He also said that Google is aware of the situation and is currently investigating the suspicious apps.

[Source]

[Oldiesmann]

This wouldn't be as big of an issue if users actually bothered to pay attention to the access requirements when they go to install an app (the market does tell you what access the app requires when you tell it to install, and you must tap "OK" to actually proceed with the install).