Phantom Mobile Threats

How secure is your mobile phone?

This is an old bugaboo that folks who sell antivirus software have tried to get us scared about. But the truth is that for the past decade there’s really not much to lose sleep over.

That hasn’t stopped people getting freaked out about it.

A security conference heard that some downloadable applications to phones running the Android operating system would “collect a user’s browsing history, their text messages, the phone’s SIM card number and subscriber identification” and send all this data to a website owned by someone in Shenzhen, China. Some outlets reported that it also transmitted the user’s passwords to their voicemail.

About 700 outlets covered the story, including mainstream publications like the Telegraph and Fortune magazine: “Is your smart phone spying on you?” asked one TV station’s website.

Scary stuff.

Only it isn’t true. It’s not clear who misreported all this—the journalists and others covering the event, or the company releasing the fruits of their research, but it gradually emerged that the applications—downloadable wallpapers—only transmitted a portion of this data. (See a corrected version of a story here.)

Indeed, the whole thing got less suspicious the more you dig.

This is what the developer told me in a text interview earlier today: “The app [recorded’] the phone number [because] Some people complained that when they change the[ir] phone, they will lose the[ir] favorite [settings]. So I [store] the phone number and subscriber ID to try to make sure that when [they] changed the phone, they have the same favorites.”

Needless to say the developer, based in Shenzhen, is somewhat miffed that no one tried to contact him before making the report public; nor had any of the 700 or so outlets that wrote about his applications tried to contact him before writing their stories.

“I am just an Android developer,” he said. “I love wallpapers and I use different wallpaper every day. All I want is to make the greatest Android apps.”

Now of course he could be lying through his teeth, but I see no evidence in the Lookout report or anything that has appeared subsequently that seems to suggest the developer has done anything underhand. (The developer shared with me some screenshots of his app’s download page which show that they do not request permission to access text message content, nor of browsing history.)

In fact, he seemed to be doing a pretty good job: His apps had been downloaded several million times. He declined to give his name, but acknowledged that he was behind both apps provided under the name Jackeey, and under the name iceskysl@1sters!

Not much longer. One website quoted Lookout as saying “We’ve been working with Google to investigate these apps and they’re on top of it.” They have: Google has now removed the apps from their site. So I guess Jackeey, as he asked me to call him, is going to have to look for other ways to spend his time. (He told me that Lookout had contacted him by email but not, apparently, before going public.) 

Seems a shame. Obviously, there is a mobile threat out there, but I’m not sure this is the way to go about addressing it. And I don’t think a guy in Shenzhen doing wallpaper apps is, frankly, worth so much hysterical column ink.

Let’s keep some perspective guys, and not embark on a witch-hunt without some forethought.

Lookout has since been backtracking a bit from its original dramatic findings. “While this sort of data collection from a wallpaper application is certainly suspicious,” it says on its blog, “there’s no evidence of malicious behavior.”

Suspicious? We seem very quick to attribute suspicious behavior to someone we don’t know much about, in some scary far-off place, but less to those we do closer to home: Lookout’s main business, after all, is prominently displayed on their homepage: an application to, in its words, “protect yourself from mobile viruses and malware. Stop hackers in their tracks.”

Conflict of interest, anyone?

One thought on “Phantom Mobile Threats

  1. Maybe it is a “witch hunt” but better safe than sorry.

    I have a little girl who loves Disney princesses, so when I got my Droid Incredible I set out to find a few games she could play when she’s bored. I found a great free Disney Princess jigsaw puzzle, but when I tried to install it, the OS warned me that this application has access to both general area and fine GPS coordinates and the internet, and asked if I wanted to continue. I said no.

    What’s the big deal? Well, why should a jigsaw puzzle access my GPS at all, let alone GPS coordinates within a few meters?

    Let your imagination go wild for a moment… a little girl is not aware of her surroundings because she’s playing this game. If it posts those GPS coordinates on the Internet, anyone with a GPS and an internet connection can find her, and they know her gender because very few boys would be playing a princess game. The app is written by a pedophile or someone who assists pedophiles, right?

    So I wrote the author, asking why the app needs those permissions. He wrote back that his app has ads that are geographically specific. That at least satisfies my suspicion that nothing of any value is truly free, so the story checks out.

    Maybe that’s the truth or maybe it’s not, but the ethics of such geographically-specific advertising aimed at kids is questionable anyway. I won’t install the app, not even with Lookout installed, not even from Google’s own Marketplace which I otherwise trust.

    Better safe than sorry.

Comments are closed.