July 29, 2010

Update and Clarification of Analysis of Mobile Applications at Blackhat 2010

This week at Blackhat, we released the first findings from the App Genome Project.  Our goal with this research is to help make people aware of the capabilities of mobile apps so that they can be vigilant while downloading.  Mobile applications on all platforms–iPhone, BlackBerry, Android, and Symbian–can potentially gather sensitive data from users and we think it’s important that both developers and users act responsibly.  The Android permission model, for example, takes steps to inform users of the capabilities of apps, including what personal data the app could be accessing, thus empowering users to evaluate the apps they download and make good decisions.

During our research, we found series of wallpaper applications in the Android Market are gathering seemingly unnecessary data.  The wallpaper applications that we analyzed transmitted several pieces of sensitive data to a server over an unencrypted network connection.  The data included the device’s phone number, subscriber identifier (e.g. IMSI), and the currently entered voicemail number on the phone (see below for technical details).  While this sort of data collection from a wallpaper application is certainly suspicious, there’s no evidence of malicious behavior.  There have been cases in the past on other mobile platforms where well-intentioned developers are simply over-zealous in their data gathering, without having malicious intent.

The wallpaper apps that we analyzed came from two developers “jackeey,wallpaper” (whose developer name has changed to “callmejack” since we originally released our research) and “IceskYsl@1sters!”.  According to androlib, applications from “jackeey,wallpaper” are estimated to have been download 1-4 million times.

Permissions requested by "Wallpaper,all categories"Nearly all of the wallpaper applications that we analyzed (more than 80) by “jackeey,wallpaper” and “IceskYsl@1sters!” requested the permission “android.permission.READ_PHONE_STATE” which grants the application access to APIs to access the device’s phone number, subscriber id, and more.  Interestingly enough, a few of the wallpaper apps by “IceskYsl@1sters!” did not request access to the phone state permission.

Looking closer at the applications using disassembly tools, we’re able to inspect what’s actually happening inside of the app.  We found that apps from both developers shared common code inside of a class named “SyncDeviceInfosService”.  Here’s an excerpt from one of the app’s implementation of the class.  Because the “getDevice_info” method is quite long, we’ve only included the calls to sensitive APIs.

.method protected getDevice_info()Ljava/lang/String;
invoke-virtual {v7}, Landroid/telephony/TelephonyManager;->getDeviceId()Ljava/lang/String;
invoke-virtual {v7}, Landroid/telephony/TelephonyManager;->getLine1Number()Ljava/lang/String;
invoke-virtual {v8}, Landroid/telephony/TelephonyManager;->getSimSerialNumber()Ljava/lang/String;
invoke-virtual {v8}, Landroid/telephony/TelephonyManager;->getSubscriberId()Ljava/lang/String;
invoke-virtual {v8}, Landroid/telephony/TelephonyManager;->getVoiceMailNumber()Ljava/lang/String;

As you can see, there is code in the wallpaper applications that accesses sensitive data.  It’s important to note that not all applications that access sensitive data actually transmit it off of the device.  In order to see what sort of information the wallpaper applications transmit to the internet, we analyzed the network traffic generated by the application.  When we used the application, one request in particular stood out, an unencrypted HTTP request to a server named “imnet.us”. Below is the raw request:

POST /api/wallpapers/log/device_info?locale=en-rUS&version_code=422&w=320&h=480&... [Note: irrelevant parameters removed]

Content-Length: 1146
Content-Type: application/x-www-form-urlencoded
Host: www.imnet.us
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
Expect: 100-Continue


Decoding the data in the POST request, we can see that several pieces of sensitive data are being sent to a server:


While the data this app is accessing is certainly suspicious coming from a wallpaper app, we want to be clear that there is no evidence of malicious behavior. There have been cases in the past where applications are simply a little overzealous in their data gathering practices, but not because of any ill intent.

We’ve been working with Google to investigate these apps and they’re on top of it.

Overall, our goal is to help users and developers alike across all mobile platforms to be responsible and vigilant in ensuring a safe mobile experience.

  1. […] Hat speakers from Lookout, wrote us to let us know that the full details on the wallpaper apps have been posted here, if you’d like to read. Meanwhile, estimations of just how many people have downloaded this […]

  2. Ener Etoc says:

    Can you explain and confirm if your application was used to gather data for your genome project, if not how did you manage to get your analysis done ???


  3. […] Hat speakers from Lookout, wrote us to let us know that the full details on the wallpaper apps have been posted here, if you’d like to read. Meanwhile, estimations of just how many people have downloaded this […]

  4. Anonymous says:

    The actual problem is that most advertising providers were unable to encapsulate those permissions yet.
    If you look at the Android SDK from Apple/Quattrowireless it requires you to use exactly those permissions and some more.

    Add the following permissions to your application:

    Source: http://wiki.quattrowireless.com/index.php/Android_SDK

    Maybe the ad providers will start encapsulating now so free apps/games need no permissions at all. Its technically possible.

  5. kevin says:


    We released a full description of how we gathered the data and our analysis methodology at the Blackhat conference (slides should be public soon), but here’s the brief summary.

    We built software that connects to the Android Market and iPhone App Store to gather data on all apps (nearly 300k) and download free apps (nearly 100k). We analyzed the data our crawler gathered to produce the results for the App Genome Project.

    Hope this clarifies things.


  6. Ener Etoc says:

    Yes, thanks for answering!

    Like you I am a bit concerned with application that ask too much right, in fact I did not install a scanner so far due to those concern.

    And unfortunately your scanner is hard to beat for that matter…
    at the same time I do understand that you need those right for lookout to work!

    I will wait to see some real review of the security app appear on specialized site like vb100 etc…

  7. Erick S says:

    When you will be conducting the same analysis of your application and what it has permissions to access?

  8. […] fondos de pantalla, algo debió fallar en Android Market, y es que la firma de seguridad, Lookout, ha detectado que esta aplicación estaba enviando información personal de los terminales a un […]

  9. Mikey says:

    Here is a counter article to your report, Lookout! They say you are inaccurate, and the developer calls you irresponsible. I share the same sentiments though mine is valueless.


  10. kevin says:


    To be clear, this blog post is exactly the same research that we originally presented at the Blackhat security conference. We have not changed any data nor have we retracted anything. At no time did we ever say that this application gathers text messages or browsing history. An early press article misreported our findings (and has since retracted the misreporting). We’ve been working to make sure everyone is reporting our research correctly and have been in contact with the applications’ author to make sure he understands what our research actually was.

    From the beginning, we’ve made it very clear that a wallpaper application gathering information such as a user’s phone number, subscriber identifier, and current voicemail number may be suspicious, there is no evidence of malicious behavior.

  11. Bob says:

    The implications of the word “suspicious” directed at some benign Android developer have already caused irreparable damage. The 24-hour news cycle and the outlets who ran with the “story” are partially to blame (likely grasping for portion of the apple/google/motorola flame war spotlight). However, the recklessness of the original post shouldn’t be swept under the rug by delegating blame.

  12. Pinay says:

    Wow… I’m seeing another reason why I have to study JAVA (j2me) again, security related issues + codes = fun

  13. PJ says:

    I just downloaded Lookout 8/4/10. My phone froze up for about an hour. It wouldn’t turn off or on or move in any way. Suddenly, I was able to get back into the phone and the only thing I was able to access was the Lookout screen asking me to sign up. I uninstalled it immediately! I just got my MyTouch Slide. What is going on? T-Mobile referred this app to me and I want it, but currently I’m scared to even download it again.

  14. interested reader says:

    Ever since you posted this article I’ve been looking for the slides for your BlackHat presentation. However, I seem to be unable to find them…. any pointers?

  15. tom says:

    Can you get lookout app on HTC wildfire? If so, how?

  16. jenny says:

    Hi Tom,
    It seems that many apps “disappear” from the Android Market when on the HTC wildfire. http://androidforums.com/htc-wildfire/151726-missing-marketplace-apps-wildfire.html

    If you are having trouble finding Lookout, you can also go to GetJar to download Lookout: http://www.getjar.com/adp/Lookout-Mobile-Security-with-Antivirus

  17. Marco says:

    And unfortunately your scanner is hard to beat for that matter…
    at the same time I do understand that you need those right for lookout to work!

  18. Can I simply say such a relief to discover person who actually knows just what they’re sharing on the web. You definitely find out how to bring a difficulty to light and make it necessary. More people need to read it all and understand it section of the story. I cant believe you are not very popular because you really have the gift.

Leave a comment