FROM:
http://grahamcluley.com/2013/12/android-game-steals-whatsapp-chats-offers-sale/Android game steals WhatsApp chats and offers them for sale
Graham Cluley | December 6, 2013 6:34 pm | Filed under: Android, Data loss, Google, Malware, Privacy | 0
If you're new here, you may want to subscribe to the RSS feed, like us on Facebook, or sign-up for the free email newsletter which contains computer security advice, news, hints and tips. Thanks for visiting!
An Android game has been removed from the official Google Play store after it was found to be secretly stealing users’ WhatsApp conversation databases, and offering them for sale on an internet website.
Balloon Pop 2
The game, Balloon Pop 2, is nothing to write home about – but behind its simple exterior lies the ability to scoop up private conversations that you may have made via WhatsApp on your Android device, and upload them to a website called WhatsAppCopy.
Code from Balloon Pop 2
The attacker can then visit the WhatsAppCopy website, enter the phone number of the Android device they are targeting, and (for a fee) access the private conversations.
WhatsAppCopy website
Install the game, find your phone, read your conversations
FREE Try it, it works!
The WhatsAppCopy website openly advertises the BalloonPop2 game as a way of “backing up” a device’s WhatsApp conversations.
Of course, the people behind the website and the BalloonPop2 game would probably argue that they are providing a legitimate service to people who want to create a remote backup of their WhatsApp conversations, and it’s not their fault if the game is misused by people trying to snoop on other people’s privacy.
Balloon Pop 2 and WhatsAppHowever, if that were really the site’s intentions, wouldn’t it be appropriate if a big fat unavoidable warning message was displayed before the game did its dirty deed – giving users the option to realise what was occurring and opt out if they wanted?
Google clearly takes a dim view of the app, as it has now removed it from the official Google Play Android app store.
But, of course, it’s quite possible that the app will be widely distributed via unofficial stores – and future versions could be distributed using other disguises than a balloon-popping game.
Clearly, there are a few lessons to be learnt here.
One is that just because an app is in the official Google Play store, it cannot necessarily be trusted. Google, unfortunately, has a pretty poor record in policing its Android app store. This isn’t the first time that a dodgy app has been found up there, and it won’t be the last. Google, can you please get your act together? Your chairman’s claims that Androids are more secure than iPhones are laughable.
At least Apple has tight reins over the programs which make it into the iOS store for iPhones and iPads.
Second, WhatsApp needs to get better at security. If Android is going to allow apps like BalloonPop2 to scoop up users’ private conversations, then maybe WhatsApp (and similar programs) need to do a better job of encrypting those conversations on the device itself.
Security researchers at McAfee tell me that they are adding detection of the offending BalloonPop2 application as Android/Ballonpoper for their customers, and I imagine other vendors will follow in due course.
Tags: android, balloon pop, balloonpop2, whatsapp, whatsappcopy
About the author, Graham Cluley
Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives presentations on the topic of computer security and online privacy. Follow him on Twitter at @gcluley, Google Plus, App.net, or drop him an email.
... Karma!
Devvie
~~~ notemail@facebook.com ~~~
Conare nullius momenti videri fortasse missilibus careant
——
All spelling mistakes are my own and may only be distributed under the GNU General Public License! – (© 95-1 by Coredump; 2-013 by DevNullius)
Total Members: 14197
Topic: WhatsApp chat logs stolen (and sold!!) by Android game Ballloon Pop 2 (Read 4005 times)
