Against the backdrop of poor payment options and rampant spam, Android’s application store, as holy as it is in its open sourceness, is apparently ripe for exploitation.
Mobile security company Lookout studied the Android Market and found a wallpaper application called Jackeey Wallpaper that sends user information to the Website www.imnet.us in Shenzhen, China.
Jackeey Wallpaper, which offers decoration ranging from My Little Pony to “The Simpsons” to “Star Wars,” also collects SIM (Subscriber Identity Module) card numbers, subscriber identification and voice mail numbers
passwords from users’ phones, reported VentureBeat July 28.
The app has been downloaded anywhere from 1.1 million to 4.6 million times, which is a funny, imprecise number culled from Android Market’s imprecise data.
It turns out, Lookout said, each Android user is asked to give permission to access an app, but on the iPhone no such permission is required because Apple approves apps.
In other words, the Jackeey Wallpaper issue is another example of how the Android Market runs wild without a lot of controls.
But it’s not alone. Roughly 47 percent of Android apps access some kind of third-party code, compared with 23 percent of iPhone apps, Lookout found.
Update: Lookout noted July 29 in a follow-up post:
“While this sort of data collection from a wallpaper application is certainly suspicious, there’s no evidence of malicious behavior. There have been cases in the past on other mobile platforms where well-intentioned developers are simply over-zealous in their data gathering, without having malicious intent.“
The Jackeey issue is no doubt one of the reasons the Android team at Google is launching a new licensing service to protect paid applications in the Android Market from unauthorized use.
Jackeey might also be a good candidate for Android’s remote kill switch.
Most of the other 70,000 apps in the Market are behaving nicely; it’s time to take out the trash.