July 29, 2010

Update and Clarification of Analysis of Mobile Applications at Blackhat 2010

This week at Blackhat, we released the first findings from the App Genome Project.  Our goal with this research is to help make people aware of the capabilities of mobile apps so that they can be vigilant while downloading.  Mobile applications on all platforms–iPhone, BlackBerry, Android, and Symbian–can potentially gather sensitive data from users and we think it’s important that both developers and users act responsibly.  The Android permission model, for example, takes steps to inform users of the capabilities of apps, including what personal data the app could be accessing, thus empowering users to evaluate the apps they download and make good decisions.

During our research, we found series of wallpaper applications in the Android Market are gathering seemingly unnecessary data.  The wallpaper applications that we analyzed transmitted several pieces of sensitive data to a server over an unencrypted network connection.  The data included the device’s phone number, subscriber identifier (e.g. IMSI), and the currently entered voicemail number on the phone (see below for technical details).  While this sort of data collection from a wallpaper application is certainly suspicious, there’s no evidence of malicious behavior.  There have been cases in the past on other mobile platforms where well-intentioned developers are simply over-zealous in their data gathering, without having malicious intent.

The wallpaper apps that we analyzed came from two developers “jackeey,wallpaper” (whose developer name has changed to “callmejack” since we originally released our research) and “IceskYsl@1sters!”.  According to androlib, applications from “jackeey,wallpaper” are estimated to have been download 1-4 million times.

Permissions requested by "Wallpaper,all categories"Nearly all of the wallpaper applications that we analyzed (more than 80) by “jackeey,wallpaper” and “IceskYsl@1sters!” requested the permission “android.permission.READ_PHONE_STATE” which grants the application access to APIs to access the device’s phone number, subscriber id, and more.  Interestingly enough, a few of the wallpaper apps by “IceskYsl@1sters!” did not request access to the phone state permission.

Looking closer at the applications using disassembly tools, we’re able to inspect what’s actually happening inside of the app.  We found that apps from both developers shared common code inside of a class named “SyncDeviceInfosService”.  Here’s an excerpt from one of the app’s implementation of the class.  Because the “getDevice_info” method is quite long, we’ve only included the calls to sensitive APIs.

.method protected getDevice_info()Ljava/lang/String;
...
invoke-virtual {v7}, Landroid/telephony/TelephonyManager;->getDeviceId()Ljava/lang/String;
...
invoke-virtual {v7}, Landroid/telephony/TelephonyManager;->getLine1Number()Ljava/lang/String;
...
invoke-virtual {v8}, Landroid/telephony/TelephonyManager;->getSimSerialNumber()Ljava/lang/String;
...
invoke-virtual {v8}, Landroid/telephony/TelephonyManager;->getSubscriberId()Ljava/lang/String;
...
invoke-virtual {v8}, Landroid/telephony/TelephonyManager;->getVoiceMailNumber()Ljava/lang/String;

As you can see, there is code in the wallpaper applications that accesses sensitive data.  It’s important to note that not all applications that access sensitive data actually transmit it off of the device.  In order to see what sort of information the wallpaper applications transmit to the internet, we analyzed the network traffic generated by the application.  When we used the application, one request in particular stood out, an unencrypted HTTP request to a server named “imnet.us”. Below is the raw request:


POST /api/wallpapers/log/device_info?locale=en-rUS&version_code=422&w=320&h=480&... [Note: irrelevant parameters removed]

Content-Length: 1146
Content-Type: application/x-www-form-urlencoded
Host: www.imnet.us
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
Expect: 100-Continue

uniquely_code=000000000000000&device_info=device_id%3D000000000000000%26device_software_version%3D
null%26build_board%3Dunknown%26build_brand%3Dgeneric%26build_device%3Dgeneric%26build_display%3Dsdk-eng+2.2+FRF42+36942+test-keys%26build_fingerprint%3D
generic%2Fsdk%2Fgeneric%2F%3A2.2%2FFRF42%2F36942%3Aeng%2Ftest-keys%26build_model%3Dsdk%26build_product%3Dsdk%26build_tags%3D
test-keys%26build_time%3D1273720406000%26build_user%3Dandroid-build%26build_type%3Deng%26build_id%3DFRF42%26build_host%3De-honda.mtv.corp.google.com%26build_version_release%3D2.2%26build_version_sdk_int%3D
8%26build_version_incremental%3D36942%26density%3D1.0%26height_pixels%3D480%26scaled_density%3D
1.0%26width_pixels%3D320%26xdpi%3D160.0%26ydpi%3D160.0%26line1_number%3D15555218135%26network_country_iso%3D
us%26network_operator%3D310260%26network_operator_name%3DAndroid%26network_type%3D3%26phone_type%3D
1%26sim_country_iso%3Dus%26sim_operator%3D310260%26sim_operator_name%3DAndroid%26sim_serial_number%3D
89014103211118510720%26sim_state%3D5%26subscriber_id%3D310260000000000%26voice_mail_number%3D
%2B15552175049%26imsi_mcc%3D310%26imsi_mnc%3D260%26total_mem%3D35885056

Decoding the data in the POST request, we can see that several pieces of sensitive data are being sent to a server:

sim_serial_number=89014103211118510720
subscriber_id=310260000000000
line1_number=15555218135
voice_mail_number=+15552175049

While the data this app is accessing is certainly suspicious coming from a wallpaper app, we want to be clear that there is no evidence of malicious behavior. There have been cases in the past where applications are simply a little overzealous in their data gathering practices, but not because of any ill intent.

We’ve been working with Google to investigate these apps and they’re on top of it.

Overall, our goal is to help users and developers alike across all mobile platforms to be responsible and vigilant in ensuring a safe mobile experience.

25 comments
  1. [...] to Lookout, the app–which provides free custom background wallpapers–collects the device’s phone number, subscriber identifier and the currently entered voicemail number, then sends that info to http://www.imnet.us–a Web site registered to someone in Shenzhen, [...]

  2. [...] Hat speakers from Lookout, wrote us to let us know that the full details on the wallpaper apps have been posted here, if you’d like to read. Meanwhile, estimations of just how many people have downloaded this [...]

  3. [...] the press jumped the gun on reporting this as a major security issue, and the company has posted a clarification to its [...]

  4. [...] the press jumped the gun on reporting this as a major security issue, and the company has posted a clarification to its [...]

  5. [...] the press jumped the gun on reporting this as a major security issue, and the company has posted a clarification to its [...]

  6. [...] the press jumped the gun on reporting this as a major security issue, and the company has posted a clarification to its [...]

  7. Ener Etoc says:

    Can you explain and confirm if your application was used to gather data for your genome project, if not how did you manage to get your analysis done ???

    http://forum.xda-developers.com/showthread.php?p=7409102#post7409102

  8. [...] Hat speakers from Lookout, wrote us to let us know that the full details on the wallpaper apps have been posted here, if you’d like to read. Meanwhile, estimations of just how many people have downloaded this [...]

  9. Anonymous says:

    The actual problem is that most advertising providers were unable to encapsulate those permissions yet.
    If you look at the Android SDK from Apple/Quattrowireless it requires you to use exactly those permissions and some more.

    Quote:
    Add the following permissions to your application:
    * INTERNET
    * READ_PHONE_STATE
    * ACCESS_COARSE_LOCATION
    * ACCESS_FINE_LOCATION

    Source: http://wiki.quattrowireless.com/index.php/Android_SDK

    Maybe the ad providers will start encapsulating now so free apps/games need no permissions at all. Its technically possible.

  10. kevin says:

    @Ener,

    We released a full description of how we gathered the data and our analysis methodology at the Blackhat conference (slides should be public soon), but here’s the brief summary.

    We built software that connects to the Android Market and iPhone App Store to gather data on all apps (nearly 300k) and download free apps (nearly 100k). We analyzed the data our crawler gathered to produce the results for the App Genome Project.

    Hope this clarifies things.

    -Kevin

  11. Ener Etoc says:

    Yes, thanks for answering!

    Like you I am a bit concerned with application that ask too much right, in fact I did not install a scanner so far due to those concern.

    And unfortunately your scanner is hard to beat for that matter…
    at the same time I do understand that you need those right for lookout to work!

    I will wait to see some real review of the security app appear on specialized site like vb100 etc…

  12. [...] or user account data. The advantage of doing this has been highlighted today with a report by a blog post from Lookout, a mobile phone security company. They analysed an Android wallpaper application and [...]

  13. [...] can read more about Lookout’s report HERE; and while you’re at it, it’s worth reading this post on launcher [...]

  14. [...] Lookout har hittat spionpram (spyware) som nu sprids via Android telefoner genom olika program som tex [...]

  15. [...] can read more about Lookout’s report HERE; and while you’re at it, it’s worth reading this post on launcher [...]

  16. [...] Hat speakers from Lookout, wrote us to let us know that the full details on the wallpaper apps have been posted here, if you’d like to read. Meanwhile, estimations of just how many people have downloaded this [...]

  17. [...] fondos de pantalla, algo debió fallar en Android Market, y es que la firma de seguridad, Lookout, ha detectado que esta aplicación estaba enviando información personal de los terminales a un [...]

  18. Mikey says:

    Here is a counter article to your report, Lookout! They say you are inaccurate, and the developer calls you irresponsible. I share the same sentiments though mine is valueless.

    http://www.androidtapp.com/android-wallpaper-apps-falsely-accused-of-spyware-and-stealing-sensitive-user-data-fud/

  19. kevin says:

    @Mikey

    To be clear, this blog post is exactly the same research that we originally presented at the Blackhat security conference. We have not changed any data nor have we retracted anything. At no time did we ever say that this application gathers text messages or browsing history. An early press article misreported our findings (and has since retracted the misreporting). We’ve been working to make sure everyone is reporting our research correctly and have been in contact with the applications’ author to make sure he understands what our research actually was.

    From the beginning, we’ve made it very clear that a wallpaper application gathering information such as a user’s phone number, subscriber identifier, and current voicemail number may be suspicious, there is no evidence of malicious behavior.

  20. tom says:

    Can you get lookout app on HTC wildfire? If so, how?

  21. jenny says:

    Hi Tom,
    It seems that many apps “disappear” from the Android Market when on the HTC wildfire. http://androidforums.com/htc-wildfire/151726-missing-marketplace-apps-wildfire.html

    If you are having trouble finding Lookout, you can also go to GetJar to download Lookout: http://www.getjar.com/adp/Lookout-Mobile-Security-with-Antivirus

  22. Marco says:

    And unfortunately your scanner is hard to beat for that matter…
    at the same time I do understand that you need those right for lookout to work!

  23. Can I simply say such a relief to discover person who actually knows just what they’re sharing on the web. You definitely find out how to bring a difficulty to light and make it necessary. More people need to read it all and understand it section of the story. I cant believe you are not very popular because you really have the gift.

  24. [...] on July 28 that a security company, Lookout, had told a conference of security geeks that  that some downloadable applications to phones running the Android operating system would “collect a user’s browsing history, their [...]

  25. [...] security conference heard that some downloadable applications to phones running the Android operating system would “collect a user’s browsing history, their [...]

Leave a comment