Phantom Mobile Threats
How secure is your mobile phone?
This is an old bugaboo that folks who sell antivirus software have tried to get us scared about. But the truth is that for the past decade there’s really not much to lose sleep over.
That hasn’t stopped people getting freaked out about it.
A security conference heard that some downloadable applications to phones running the Android operating system would “collect a user’s browsing history, their text messages, the phone’s SIM card number and subscriber identification” and send all this data to a website owned by someone in Shenzhen, China. Some outlets reported that it also transmitted the user’s passwords to their voicemail.
About 700 outlets covered the story, including mainstream publications like the Telegraph and Fortune magazine: “Is your smart phone spying on you?” asked one TV station’s website.
Only it isn’t true. It’s not clear who misreported all this—the journalists and others covering the event, or the company releasing the fruits of their research, but it gradually emerged that the applications—downloadable wallpapers—only transmitted a portion of this data. (See a corrected version of a story here.)
Indeed, the whole thing got less suspicious the more you dig.
This is what the developer told me in a text interview earlier today: “The app [recorded’] the phone number [because] Some people complained that when they change the[ir] phone, they will lose the[ir] favorite [settings]. So I [store] the phone number and subscriber ID to try to make sure that when [they] changed the phone, they have the same favorites.”
Needless to say the developer, based in Shenzhen, is somewhat miffed that no one tried to contact him before making the report public; nor had any of the 700 or so outlets that wrote about his applications tried to contact him before writing their stories.
“I am just an Android developer,” he said. “I love wallpapers and I use different wallpaper every day. All I want is to make the greatest Android apps.”
Now of course he could be lying through his teeth, but I see no evidence in the Lookout report or anything that has appeared subsequently that seems to suggest the developer has done anything underhand. (The developer shared with me some screenshots of his app’s download page which show that they do not request permission to access text message content, nor of browsing history.)
In fact, he seemed to be doing a pretty good job: His apps had been downloaded several million times. He declined to give his name, but acknowledged that he was behind both apps provided under the name Jackeey, and under the name iceskysl@1sters!
Not much longer. One website quoted Lookout as saying “We’ve been working with Google to investigate these apps and they’re on top of it.” They have: Google has now removed the apps from their site. So I guess Jackeey, as he asked me to call him, is going to have to look for other ways to spend his time. (He told me that Lookout had contacted him by email but not, apparently, before going public.)
Seems a shame. Obviously, there is a mobile threat out there, but I’m not sure this is the way to go about addressing it. And I don’t think a guy in Shenzhen doing wallpaper apps is, frankly, worth so much hysterical column ink.
Let’s keep some perspective guys, and not embark on a witch-hunt without some forethought.
Lookout has since been backtracking a bit from its original dramatic findings. “While this sort of data collection from a wallpaper application is certainly suspicious,” it says on its blog, “there’s no evidence of malicious behavior.”
Suspicious? We seem very quick to attribute suspicious behavior to someone we don’t know much about, in some scary far-off place, but less to those we do closer to home: Lookout’s main business, after all, is prominently displayed on their homepage: an application to, in its words, “protect yourself from mobile viruses and malware. Stop hackers in their tracks.”
Conflict of interest, anyone?
- Click to share on Twitter (Opens in new window)
- Click to share on Facebook (Opens in new window)
- Click to share on Google+ (Opens in new window)
- Click to share on Pocket (Opens in new window)
- Click to share on Pinterest (Opens in new window)
- Click to share on Telegram (Opens in new window)
- Click to share on Tumblr (Opens in new window)
- Click to share on Reddit (Opens in new window)
- Click to print (Opens in new window)
- Click to email this to a friend (Opens in new window)
- Click to share on WhatsApp (Opens in new window)
- Share on Skype (Opens in new window)
30. July 2010 by jeremy
Categories: datawars, Phones, Scams, Security | Tags: Android, Antivirus software, cellular telephone, China, Cloud clients, downloadable applications, Embedded Linux, Fortune magazine, Google, Mobile phone, Mobile software, operating system, Shenzhen, smart phone, smartphones, Subscriber Identity Module, the Telegraph | 1 comment