Even when installing from the Google Play store, caution should be used when installing apps.

A good rule to follow is to ask yourself if the app being installed is asking for more permissions than what it needs to function. When it comes to a wallpaper app, the list of permissions should be rather short.

It was recently brought to our attention that there was a wallpaper app on the Google Play store that had an extra permission that didn’t fit. It was using the permission GET_ACCOUNTS which allows access to list accounts.

This wallpaper app was doing a bit more than just displaying pictures on the device’s background.

 

Acct_Steal_4

The app goes by the name of Sexy Girls Wallpaper Gallery with the package name com.sexywallpapers.wallpaper.sexy. With the permission GET_ACCOUNTS accepted, it then uses the getAccountsByType() function to gather account information from Google, Facebook, and Twitter.

The stolen account information is then sent to a remote server. This is all triggered when the app is opened.

Acct_Steal_2

 

It uses the value email for Google/email account info, emailf for Facebook account info, and emailt for Twitter account info when sending to the remote server.

 

Acct_Steal_1

 

The app has been installed between 50,000-100,000 times from the Google Play store, and was last updated on May 16, 2014. It’s not clear how the stolen account information is being used, but the stolen email addresses could be used for spam campaigns.

Google has been notified of its existence.

Remember to always review the permissions of an app and check the app’s reviews before installing.  This will aid in keeping you safe while installing apps on any market.  Stay safe out there!

Nathan Collier