Android app grabs customer data

A number of popular Android applications can reportedly collect your mobile device's personal information and then send that data to a Chinese-owned website. The information in question includes your device's phone number, subscriber identifier number and, in some cases, your voicemail password, according to Phandroid.

The accusation comes from the mobile security firm Lookout made during the company's talk at the Black Hat security conference in Las Vegas. Lookout says the apps in question were made by Jackeey Wallpapers, according to a Venture Beat story.

It's unclear if the app is designed to be malicious and what exactly is done with the data collected. The apps let you download a variety of themed wallpapers including popular brands like Windows 7, The Simpsons, Dragon Ball, Hello Kitty and many more. Google does not post download numbers so it's unclear how many times these apps have been downloaded. But Lookout estimates the number could be as high as 4 million. You can find listings for Jackeey Wallpapers' applications on DoubleTwist's online catalogue of Android apps.

After the data has been collected by the wallpaper app it can be sent to the Website, imnet.us, VentureBeat says. In addition to Jackeey Wallpapers, another developer named iceskysl@1sters was also reportedly collecting user data. However, a quick look at the whois registrar information for imnet.us reveals that icesksyl@1sters is likely the developer for Jackeey Wallpapers apps. The whois information says the site is registered to a person based in Shenzhen, China. The registrar information also lists the site's contact organisation as "1sters!" and a webmail address for someone named iceskysl. Attempts to contact the site owner for comment were unsuccessful.

Lookout's discovery is part of the company's recently announced App Genome Project that aims to "map and study mobile applications." The company posted some early findings from the Genome Project earlier this week. The Project cataloged 300,000 mobile applications from the Android Market and iPhone App Store, and scrutinized the code for about 100,000 free mobile apps. Lookout discovered that 14 percent of iPhone apps and 8 percent of Android apps can access a user's contact data. Thirty-three percent of free iPhone applications can access a user's location, as can 29 percent of free Android apps.

All of these apps that can access user data are not necessarily malicious, and often have legitimate reasons for accessing the data. Nevertheless, Lookout believes it is important to know "what mobile applications are doing and use that information to more quickly identify potential security threats."