From SANS:
"--Google Android Apps Reportedly Stealing Data (July 30, 2010) Dozens of wallpaper apps being sold for Google Android devices have been found to be gathering personal information and sending it back to the apps' developers. Google has suspended one of the applications, which appears to send collected data to a server in China, while it
investigates the situation. The application is called Jackeey
Wallpaper and contains stolen copyrighted content. The issue
underscores the importance of downloading applications only from known and trusted sources.
Google Android apps ‘collecting personal data’ - Telegraph
City Brights: Yobie Benjamin : Android app IMNet "Free Wallpaper" steals user information: Lessons learned
[Editor's Note (Ranum): Is anyone surprised by this? The idea of "download only from known and trusted sources" is also a non-starter; eventually the attackers will begin to develop software that is stealthier about what it does - when the software supply chain is controlled, it becomes the next logical point of attack. How is the manager of an application store going to know if there's a sleeper routine in an app that will cause it to start leaking data in 3 or 4 months? What we're seeing now is the early "smash and grab" stage of what is going to be a long, horrible battle unless industry begins to realize that software security is a discipline above and beyond just issuing patches.]"
"--Google Android Apps Reportedly Stealing Data (July 30, 2010) Dozens of wallpaper apps being sold for Google Android devices have been found to be gathering personal information and sending it back to the apps' developers. Google has suspended one of the applications, which appears to send collected data to a server in China, while it
investigates the situation. The application is called Jackeey
Wallpaper and contains stolen copyrighted content. The issue
underscores the importance of downloading applications only from known and trusted sources.
Google Android apps ‘collecting personal data’ - Telegraph
City Brights: Yobie Benjamin : Android app IMNet "Free Wallpaper" steals user information: Lessons learned
[Editor's Note (Ranum): Is anyone surprised by this? The idea of "download only from known and trusted sources" is also a non-starter; eventually the attackers will begin to develop software that is stealthier about what it does - when the software supply chain is controlled, it becomes the next logical point of attack. How is the manager of an application store going to know if there's a sleeper routine in an app that will cause it to start leaking data in 3 or 4 months? What we're seeing now is the early "smash and grab" stage of what is going to be a long, horrible battle unless industry begins to realize that software security is a discipline above and beyond just issuing patches.]"
Facebook
Twitter
Instagram