Yesterday, mobile security firm Lookout announced at the Black Hat security conference that it had discovered a seemingly benign wallpaper application for Android that had been downloaded millions of times — and allegedly harvested user data like text messages and browsing history, which was being sent to servers in China. At least, that’s what was reported. Turns out, it looks like the press jumped the gun on reporting this as a major security issue, and the company has posted a clarification to its blog.
According to the post, while there is something suspicious going on here, the data these applications are accessing is not nearly as sensitive as some of the initial reports would have you believe (it isn’t grabbing your text messages and browsing history). The apps are apparently sending some potentially sensitive data like your subscriber identifier, but even then, the Lookout team says that there is no concrete evidence of malicious behavior:
The data included the device’s phone number, subscriber identifier (e.g. IMSI), and the currently entered voicemail number on the phone (see below for technical details). While this sort of data collection from a wallpaper application is certainly suspicious, there’s no evidence of malicious behavior. There have been cases in the past on other mobile platforms where well-intentioned developers are simply over-zealous in their data gathering, without having malicious intent.
For its part, Google says that it has “suspended this application while we investigate further”.