Suspicious Mobile App Finds Your Gmail, Facebook, and Twitter Accounts

By on

Today many people use multiple web services, such as social networking and messaging services. Some users explicitly show their identity in these services, but others visit those services separately–as unidentifiable, different users. To protect their privacy, the latter group might not want their accounts and activities on multiple services to be associated with each other.

McAfee Labs has recently found a suspicious Android app on Google Play that secretly collects a device user’s Google account ID (gmail address in most cases), Facebook account ID (email address used for login), and Twitter account name. Users are exposed to the risk that these account IDs might be stored together and later abused, though we have not yet confirmed such misuse. The total downloads of this app amount to between 1,000 and 5,000 as of this writing.

 

accleaker-1a
Figure 1: This Android app secretly collects account IDs for Google, Facebook, and Twitter.

 

This app is implemented as a “sexy” movie viewer that provides a fixed set of URLs to movies on YouTube. However, this app secretly sends the device user’s Google account ID, Facebook account ID, Twitter account name, and locale information to its remote server just after it is launched. This information is not necessary for the app’s functionality, so we suspect that this app aims to collect these account IDs for possibly malicious purposes.

 

accleaker-2
Figure 2: Account IDs secretly sent to the app’s remote server via HTTP.

 

As we described in an earlier blog about suspicious Android apps secretly collecting Google account IDs, this type of Android app requests GET_ACCOUNTS permission at installation. Granting this permission request allows the app to retrieve the device user’s account information (excluding passwords) of various services registered in the device, using the AccountManager.getAccountsByType() API. Because no passwords are stolen, this action cannot directly allow any illegal access to the accounts. However, because in some services the account IDs are email addresses or phone numbers, there are risks that the account IDs themselves will be abused, for example, in spamming or phishing. In addition, giving account IDs for multiple services could give the attackers hints for collecting more detailed personal and preference information of owners of Google accounts by combining data obtained from their Facebook and Twitter services.

 

accleaker-3
Figure 3: A GET_ACCOUNTS permission request and examples of various service accounts.

 

Android device users should be careful and check whether an app developer is really trustworthy whenever an app requests GET_ACCOUNTS permission at installation. We also recommend that users should not unnecessarily enable social network privacy settings such as “allow search by email address.”

McAfee Mobile Security detects this suspicious app as Android/AccLeaker.A.

2 comments on “Suspicious Mobile App Finds Your Gmail, Facebook, and Twitter Accounts

Leave a Comment

Similar articles

The topics parents need to discuss with kids today can be tough compared to even a few years ago. The digital scams are getting more sophisticated and the social culture poses new, more inherent risks. Weekly, we have to breach very adult conversations with our kids. Significant conversations about sexting, bullying, online scams, identity fraud, ...
Read Blog
There's something ironic about cybercriminals getting "hacked back." BriansClub, one of the largest underground stores for buying stolen credit card data, has itself been hacked. According to researcher Brian Krebs, the data stolen from BriansClub encompasses more than 26 million credit and debit card records taken from hacked online and brick-and-mortar retailers over the past ...
Read Blog