Today many people use multiple web services, such as social networking and messaging services. Some users explicitly show their identity in these services, but others visit those services separately–as unidentifiable, different users. To protect their privacy, the latter group might not want their accounts and activities on multiple services to be associated with each other.
McAfee Labs has recently found a suspicious Android app on Google Play that secretly collects a device user’s Google account ID (gmail address in most cases), Facebook account ID (email address used for login), and Twitter account name. Users are exposed to the risk that these account IDs might be stored together and later abused, though we have not yet confirmed such misuse. The total downloads of this app amount to between 1,000 and 5,000 as of this writing.
Figure 1: This Android app secretly collects account IDs for Google, Facebook, and Twitter.
This app is implemented as a “sexy” movie viewer that provides a fixed set of URLs to movies on YouTube. However, this app secretly sends the device user’s Google account ID, Facebook account ID, Twitter account name, and locale information to its remote server just after it is launched. This information is not necessary for the app’s functionality, so we suspect that this app aims to collect these account IDs for possibly malicious purposes.
Figure 2: Account IDs secretly sent to the app’s remote server via HTTP.
As we described in an earlier blog about suspicious Android apps secretly collecting Google account IDs, this type of Android app requests GET_ACCOUNTS permission at installation. Granting this permission request allows the app to retrieve the device user’s account information (excluding passwords) of various services registered in the device, using the AccountManager.getAccountsByType() API. Because no passwords are stolen, this action cannot directly allow any illegal access to the accounts. However, because in some services the account IDs are email addresses or phone numbers, there are risks that the account IDs themselves will be abused, for example, in spamming or phishing. In addition, giving account IDs for multiple services could give the attackers hints for collecting more detailed personal and preference information of owners of Google accounts by combining data obtained from their Facebook and Twitter services.
Figure 3: A GET_ACCOUNTS permission request and examples of various service accounts.
Android device users should be careful and check whether an app developer is really trustworthy whenever an app requests GET_ACCOUNTS permission at installation. We also recommend that users should not unnecessarily enable social network privacy settings such as “allow search by email address.”
McAfee Mobile Security detects this suspicious app as Android/AccLeaker.A.