Update and Clarification of Analysis of Mobile Applications at Blackhat 2010
July 29
This week at Blackhat, we released the first findings from the App Genome Project. Our goal with this research is to help make people aware of the capabilities of mobile apps so that they can be vigilant while downloading. Mobile applications on all platforms–iPhone, BlackBerry, Android, and Symbian–can potentially gather sensitive data from users and we think it’s important that both developers and users act responsibly. The Android permission model, for example, takes steps to inform users of the capabilities of apps, including what personal data the app could be accessing, thus empowering users to evaluate the apps they download and make good decisions.
During our research, we found series of wallpaper applications in the Android Market are gathering seemingly unnecessary data. The wallpaper applications that we analyzed transmitted several pieces of sensitive data to a server over an unencrypted network connection. The data included the device’s phone number, subscriber identifier (e.g. IMSI), and the currently entered voicemail number on the phone (see below for technical details). While this sort of data collection from a wallpaper application is certainly suspicious, there’s no evidence of malicious behavior. There have been cases in the past on other mobile platforms where well-intentioned developers are simply over-zealous in their data gathering, without having malicious intent.
The wallpaper apps that we analyzed came from two developers “jackeey,wallpaper” (whose developer name has changed to “callmejack” since we originally released our research) and “IceskYsl@1sters!”. According to androlib, applications from “jackeey,wallpaper” are estimated to have been download 1-4 million times.
Nearly all of the wallpaper applications that we analyzed (more than 80) by “jackeey,wallpaper” and “IceskYsl@1sters!” requested the permission “android.permission.READ_PHONE_STATE” which grants the application access to APIs to access the device’s phone number, subscriber id, and more. Interestingly enough, a few of the wallpaper apps by “IceskYsl@1sters!” did not request access to the phone state permission.
Looking closer at the applications using disassembly tools, we’re able to inspect what’s actually happening inside of the app. We found that apps from both developers shared common code inside of a class named “SyncDeviceInfosService”. Here’s an excerpt from one of the app’s implementation of the class. Because the “getDevice_info” method is quite long, we’ve only included the calls to sensitive APIs.
.method protected getDevice_info()Ljava/lang/String;
...
invoke-virtual {v7}, Landroid/telephony/TelephonyManager;->getDeviceId()Ljava/lang/String;
...
invoke-virtual {v7}, Landroid/telephony/TelephonyManager;->getLine1Number()Ljava/lang/String;
...
invoke-virtual {v8}, Landroid/telephony/TelephonyManager;->getSimSerialNumber()Ljava/lang/String;
...
invoke-virtual {v8}, Landroid/telephony/TelephonyManager;->getSubscriberId()Ljava/lang/String;
...
invoke-virtual {v8}, Landroid/telephony/TelephonyManager;->getVoiceMailNumber()Ljava/lang/String;
As you can see, there is code in the wallpaper applications that accesses sensitive data. It’s important to note that not all applications that access sensitive data actually transmit it off of the device. In order to see what sort of information the wallpaper applications transmit to the internet, we analyzed the network traffic generated by the application. When we used the application, one request in particular stood out, an unencrypted HTTP request to a server named “imnet.us”. Below is the raw request:
POST /api/wallpapers/log/device_info?locale=en-rUS&version_code=422&w=320&h=480&... [Note: irrelevant parameters removed]
Content-Length: 1146
Content-Type: application/x-www-form-urlencoded
Host: www.imnet.us
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
Expect: 100-Continue
uniquely_code=000000000000000&device_info=device_id%3D000000000000000%26device_software_version%3D
null%26build_board%3Dunknown%26build_brand%3Dgeneric%26build_device%3Dgeneric%26build_display%3Dsdk-eng+2.2+FRF42+36942+test-keys%26build_fingerprint%3D
generic%2Fsdk%2Fgeneric%2F%3A2.2%2FFRF42%2F36942%3Aeng%2Ftest-keys%26build_model%3Dsdk%26build_product%3Dsdk%26build_tags%3D
test-keys%26build_time%3D1273720406000%26build_user%3Dandroid-build%26build_type%3Deng%26build_id%3DFRF42%26build_host%3De-honda.mtv.corp.google.com%26build_version_release%3D2.2%26build_version_sdk_int%3D
8%26build_version_incremental%3D36942%26density%3D1.0%26height_pixels%3D480%26scaled_density%3D
1.0%26width_pixels%3D320%26xdpi%3D160.0%26ydpi%3D160.0%26line1_number%3D15555218135%26network_country_iso%3D
us%26network_operator%3D310260%26network_operator_name%3DAndroid%26network_type%3D3%26phone_type%3D
1%26sim_country_iso%3Dus%26sim_operator%3D310260%26sim_operator_name%3DAndroid%26sim_serial_number%3D
89014103211118510720%26sim_state%3D5%26subscriber_id%3D310260000000000%26voice_mail_number%3D
%2B15552175049%26imsi_mcc%3D310%26imsi_mnc%3D260%26total_mem%3D35885056
Decoding the data in the POST request, we can see that several pieces of sensitive data are being sent to a server:
sim_serial_number=89014103211118510720
subscriber_id=310260000000000
line1_number=15555218135
voice_mail_number=+15552175049
While the data this app is accessing is certainly suspicious coming from a wallpaper app, we want to be clear that there is no evidence of malicious behavior. There have been cases in the past where applications are simply a little overzealous in their data gathering practices, but not because of any ill intent.
We’ve been working with Google to investigate these apps and they’re on top of it.
Overall, our goal is to help users and developers alike across all mobile platforms to be responsible and vigilant in ensuring a safe mobile experience.
How’s Apple’s Walled Garden Look Now? | John Paczkowski | Digital Daily | AllThingsD 29 Jul 10
[...] to Lookout, the app–which provides free custom background wallpapers–collects the device’s phone number, subscriber identifier and the currently entered voicemail number, then sends that info to http://www.imnet.us–a Web site registered to someone in Shenzhen, [...]
Lookout’s App Genome Project warns about sketchy apps you may have already downloaded · Gadgets 29 Jul 10
[...] Hat speakers from Lookout, wrote us to let us know that the full details on the wallpaper apps have been posted here, if you’d like to read. Meanwhile, estimations of just how many people have downloaded this [...]
Researchers: Android Wallpaper App Shows “No Evidence Of Malicious Behavior” | BJD Productions blog 29 Jul 10
[...] the press jumped the gun on reporting this as a major security issue, and the company has posted a clarification to its [...]
Researchers: Android Wallpaper App Shows “No Evidence Of Malicious Behavior” | Da Gadget 29 Jul 10
[...] the press jumped the gun on reporting this as a major security issue, and the company has posted a clarification to its [...]
Researchers: Android Wallpaper App Shows “No Evidence Of Malicious Behavior” | The News List 29 Jul 10
[...] the press jumped the gun on reporting this as a major security issue, and the company has posted a clarification to its [...]
Researchers: Android Wallpaper App Shows “No Evidence Of Malicious Behavior” « Whella – Latest News on Wireless Topics 29 Jul 10
[...] the press jumped the gun on reporting this as a major security issue, and the company has posted a clarification to its [...]
Ener Etoc 29 Jul 10
Can you explain and confirm if your application was used to gather data for your genome project, if not how did you manage to get your analysis done ???
http://forum.xda-developers.com/showthread.php?p=7409102#post7409102
Lookout’s App Genome Project warns about sketchy apps you may have already downloaded | RSS Lens 29 Jul 10
[...] Hat speakers from Lookout, wrote us to let us know that the full details on the wallpaper apps have been posted here, if you’d like to read. Meanwhile, estimations of just how many people have downloaded this [...]
Anonymous 29 Jul 10
The actual problem is that most advertising providers were unable to encapsulate those permissions yet.
If you look at the Android SDK from Apple/Quattrowireless it requires you to use exactly those permissions and some more.
Quote:
Add the following permissions to your application:
* INTERNET
* READ_PHONE_STATE
* ACCESS_COARSE_LOCATION
* ACCESS_FINE_LOCATION
Source: http://wiki.quattrowireless.com/index.php/Android_SDK
Maybe the ad providers will start encapsulating now so free apps/games need no permissions at all. Its technically possible.
kevin 29 Jul 10
@Ener,
We released a full description of how we gathered the data and our analysis methodology at the Blackhat conference (slides should be public soon), but here’s the brief summary.
We built software that connects to the Android Market and iPhone App Store to gather data on all apps (nearly 300k) and download free apps (nearly 100k). We analyzed the data our crawler gathered to produce the results for the App Genome Project.
Hope this clarifies things.
-Kevin
Ener Etoc 29 Jul 10
Yes, thanks for answering!
Like you I am a bit concerned with application that ask too much right, in fact I did not install a scanner so far due to those concern.
And unfortunately your scanner is hard to beat for that matter…
at the same time I do understand that you need those right for lookout to work!
I will wait to see some real review of the security app appear on specialized site like vb100 etc…
The danger of the wolf in sheep’s clothing « Stephan's Ramblings 30 Jul 10
[...] or user account data. The advantage of doing this has been highlighted today with a report by a blog post from Lookout, a mobile phone security company. They analysed an Android wallpaper application and [...]
Lookout Details Android Security Alert — Androidear 30 Jul 10
[...] can read more about Lookout’s report HERE; and while you’re at it, it’s worth reading this post on launcher [...]
Techrisk » Spyware på android 30 Jul 10
[...] Lookout har hittat spionpram (spyware) som nu sprids via Android telefoner genom olika program som tex [...]
Lookout Details! Android Security Alert « AndroidSPIN | Your No.1 source for Everything Android. 30 Jul 10
[...] can read more about Lookout’s report HERE; and while you’re at it, it’s worth reading this post on launcher [...]
Lookout’s App Genome Project warns about sketchy apps you may have already downloaded - Latest Technology Trends 30 Jul 10
[...] Hat speakers from Lookout, wrote us to let us know that the full details on the wallpaper apps have been posted here, if you’d like to read. Meanwhile, estimations of just how many people have downloaded this [...]
Detectan aplicación en Android Market que enviaba información del usuario a China | Gigle.net 30 Jul 10
[...] fondos de pantalla, algo debió fallar en Android Market, y es que la firma de seguridad, Lookout, ha detectado que esta aplicación estaba enviando información personal de los terminales a un [...]
Mikey 30 Jul 10
Here is a counter article to your report, Lookout! They say you are inaccurate, and the developer calls you irresponsible. I share the same sentiments though mine is valueless.
http://www.androidtapp.com/android-wallpaper-apps-falsely-accused-of-spyware-and-stealing-sensitive-user-data-fud/
kevin 30 Jul 10
@Mikey
To be clear, this blog post is exactly the same research that we originally presented at the Blackhat security conference. We have not changed any data nor have we retracted anything. At no time did we ever say that this application gathers text messages or browsing history. An early press article misreported our findings (and has since retracted the misreporting). We’ve been working to make sure everyone is reporting our research correctly and have been in contact with the applications’ author to make sure he understands what our research actually was.
From the beginning, we’ve made it very clear that a wallpaper application gathering information such as a user’s phone number, subscriber identifier, and current voicemail number may be suspicious, there is no evidence of malicious behavior.
tom 23 Aug 10
Can you get lookout app on HTC wildfire? If so, how?
jenny 24 Aug 10
Hi Tom,
It seems that many apps “disappear” from the Android Market when on the HTC wildfire. http://androidforums.com/htc-wildfire/151726-missing-marketplace-apps-wildfire.html
If you are having trouble finding Lookout, you can also go to GetJar to download Lookout: http://www.getjar.com/adp/Lookout-Mobile-Security-with-Antivirus