Security firm Lookout says that a malicious suspicious app has been downloaded anywhere from 1.1 million to 4.6 million times.
The app in question is called Jackeey Wallpaper and was uploaded to the Android Market where users could download the application for free. According to Lookout, the application would access the owner's SIM card number, subscriber identification, and voicemail password (as long as it is programmed automatically into your phone) and send it to a site called imnet.us. That site is owned by someone in the Chinese city of Shenzhen.
Update: Lookout contacted me to say the original Venturebeat report was inaccurate:
The app does not actually access SIM card numbers or voicemail passwords. Instead, the app transmitted the device's phone number, subscriber identifier (e.g. IMSI), and the currently entered voicemail number on the phone. This is an important distinction for Lookout, because they did not actually find that the app was doing anything malicious. It is certainly suspicious, but it is important to clear up that they did not actually steal info like SMS conversations. More on their blog posting.
Upon installation, the wallpaper app asks for permission to access your phone calls, which should have been a clear warning not only to users but for the people manning the Android Market's approval process.
This isn't the first case of mobile app developers sneaking deviant code into their apps this month. Earlier, a 15 year old developer submitted a flashlight application to Apple's (aapl) App Store which had code that turned iPhones into Internet routers. Apple removed the application within a few hours of it being widely reported.
<!-- more -->
According to Venturebeat, John Hering, chief executive of Lookout said in a press conference afterward that he believes both Google and Apple are on top of policing their app stores, particularly when there are known malware problems with apps.