Fraud Android App Collecting Gmail, Facebook, Twitter Accounts Information

McAfee Labs, Mobile Security researchers found  suspicious Android app on Google Play that secretly collecting the Gmail, Facebook, and Twitter Accounts information.

Users are exposed to the risk that these account IDs might be stored together and later abused, though we have not yet confirmed such misuse. The total downloads of this app amount to between 1,000 and 5,000 as of this writing.

That app is implemented as a “sexy” movie viewer that provides a fixed set of URLs to movies on YouTube. However, this app secretly sends the device user’s Google account ID, Facebook account ID, Twitter account name, and locale information to its remote server just after it is launched. 

This information is not necessary for the app’s functionality, so we suspect that this app aims to collect these account IDs for possibly malicious purposes.

Fraud Android apps secretly collecting Google account IDs, this type of Android app requests GET_ACCOUNTS permission at installation. 

Granting this permission request allows the app to retrieve the device user’s account information (excluding passwords) of various services registered in the device, using the AccountManager.getAccountsByType() API. Because no passwords are stolen, this action cannot directly allow any illegal access to the accounts. 

Android device users should be careful and check whether an app developer is really trustworthy whenever an app requests GET_ACCOUNTS permission at installation. 

I also recommend that users should not unnecessarily enable social network privacy settings such as “allow search by email address.”

Author Venkatesh Yalagandula Follow us Google + and Facebook and Twitter