A new study that has analyzed the behavior of 10,000 applications downloaded from the Android Market, shows that many mobile applications leak personal information and that mobile devices may be as vulnerable to drive-by downloads as PCs.
Some of the key findings of the research include:
842 of the 10,000 apps analyzed from Google’s Android marketplace were leaking private information. The apps transmitted International Mobile Equipment Identity (IMEI) and International Mobile Subscriber Identity (IMSI) numbers to remote servers, potentially exposing this personally identifying information to compromise. The leaks occurred most frequently when application developers used IMEIs as user IDs, enabling unrelated applications to compare notes on user behavior, and clone users’ phones.
Hashing IMEI numbers to protect privacy does not protect user privacy. While some mobile application developers seek to protect the personal IMEI data via cryptographic “hashing,” the Dasient security team found that the hashing techniques used on IMEI were relatively easy to circumvent.
While drive-bys on desktop PCs on the Web are very common, the ability to conduct mobile drive-by attacks is a new, and potentially attractive, method of deployment for malware distributors. To prove how easy it actually is, the Dasient security team prototyped a mobile drive-by attack for Android, which you can check out here (registration required).