Millions of Android users hit by malicious data theft app from China (imnet.us)

An app distributed by Google's Android Market has collected private data from millions of users and forwarded it to servers China, validating Apple's uniquely strong stance on mobile security in the iPhone App Store.

The exploit, tied to an app that appeared to simply load free custom background wallpapers, was downloaded "anywhere from 1.1 million to 4.6 million times. The exact number isn’t known because the Android Market doesn’t offer precise data," according to a report by Dean Takahashi of VentureBeat.

The app "collects a user’s browsing history, text messages, your phone’s SIM card number, subscriber identification, and even your voice mail password. It sends the data to a web site, "imnet.us". That site is evidently owned by someone in Shenzhen, China," the report noted.

The data theft was only discovered afterward, through forensics performed by mobile security firm named Lookout which sells virus and malware protection software for Android, Windows Mobile and BlackBerry devices. The problem was announced at the Black Hat security conference being held in Las Vegas.

Mobile data theft on the increase

The issue recalls a recent AT&T website leak that could hypothetically have enabled a malicious hacker to access 144 thousand of iPad 3G user's email addresses.

However, the Android app data theft was actually perpetrated by malicious hackers and not just demonstrated by researchers; it involves far more sensitive data; and affected far more victims--by more than an order of magnitude.

iOS vs Android in app security

Apps on any platform can access personal data and forward that data to an external server, but the Lookout research found that 47 percent of the selection of Android apps it looked at incorporated third party code (which may include malicious functions), while only 23 percent of analyzed iPhone apps did.

Apple also approves iOS apps through a strict vetting process before listing them in the App Store, while Google's Android Market app security involves simply warning the user that an app needs permissions to perform certain functions during the install.

Unlike other mobile platforms secured by Lookout, Apple's iOS platform doesn't have a live virus problem because third party iPhone apps can only be distributed through Apple's curated App Store, and apps are forced to run in a segregated sandbox environment where they can't infect the system. That doesn't necessarily mean iOS apps can't forward user data inappropriately however; Apple has discovered and pulled apps that have violated its privacy policies.

Apps must also be signed by a certificate created by Apple, which makes it much harder for malicious developers to anonymously distribute software designed to cause problems or steal data. Apple's security measures also make such efforts less attractive financially, despite the iOS platform's installed base being much larger than Android's.

Exploitable vulnerabilities in the iOS platform have been reported elsewhere, including the Safari browser, but crafting a malicious attack via the browser requires luring users to a malicious site rather than simply distributing a bad app that appears to be useful and genuine.

Lookout chief executive John Hering said in the report that "he believes both Google and Apple are on top of policing their app stores, particularly when there are known malware problems with apps," but the report noted it's "unclear what happens" when apps don't actually do what they represent.

(ai)