More than a hundred innocuous-looking wallpaper applications for Android handsets have been harvesting users’ phone numbers and SIM card information and sending them off to a Website based in China, researchers said Wednesday at the Black Hat tech security conference in Las Vegas.
The wallpapers–background pictures of ponies, basketball scenes and the like–have been downloaded more than a million times, the researchers said in highlighting growing concern about potential for malicious applications on Android, Apple’s iPhone and other smartphones that are rapidly gaining popularity.Researchers Kevin Mahaffey and John Hering said it was unclear what the data could be used for, but Mikko Hypponen of Finland-based F-Secure said he had found scams in which phones were directed to call expensive toll numbers.
Mobile security was one of the major themes at the first day of Black Hat, which draws thousands of professionals and hackers every year. About a third of apps send off the locations of the phones, which has helped put privacy issues under renewed scrutiny.
Mr Mahaffey and Mr Hering downloaded nearly 100,000 free applications for the iPhone and devices running Google’s Android, then tested them to see what information they were accessing. While the vast majority appeared to be harmless, they warned that the wallpaper “app” was a sign of things to come.
Apple must approve apps before they are offered on the company’s online App Store, but they can be altered later and turned malicious. Consumers are asked if they are willing to let apps know their physical location, but not other stored data including their lists of contacts.
Android systems give users more information about which data the apps want, but a legitimate purpose–such as accessing contacts in order to assign ringtones to each–could mask improper harvesting. Additional trouble could come when apps contact the internet and download new programs.
Another noteworthy presentation Wednesday included a demonstration of how ATM machines could be broken into from afar and ordered to dispense cash. That researcher, Barnaby Jack, did not release the code for hackers to use.
A more hopeful speech came from Dan Kaminsky, who won fame two years ago for identifying a flaw in the domain-name system that directs Web browers to the right sites, a flaw that is only now coming close to being fixed.
Mr Kaminsky sketched out a way in which email could be tied to that software fix, called DNSSEC, and mail recipients would be able to know for sure that a message really came from the company that appeared to send it.
“When you receive an email from the bank, someday soon you will know that it came from the bank”, he said.
