Suspicious Apps on Google Play Leak Google Account IDs

The Google account ID (or account name), which in most cases is a Gmail address, is one of the key identifiers of Android device users. McAfee has confirmed a substantial amount of suspicious apps secretly collect Google account IDs on Google Play. In these cases, the corresponding Google account password is not collected, but leaking only IDs still poses a certain level of security and privacy risk.

Two particular apps, one a dating service app and the other a fortune app, retrieve Google account IDs and send them to their web server just after they launch and without prior notice to users. The total number of download of each app is between 10,000 and 50,000. McAfee Mobile Security detects these apps as Android/ChatLeaker.D.

 

galeaker-1
These two suspicious apps leak Google account IDs.

 

Another set of suspicious apps, from various categories, shown in the figure below secretly send a device’s Google account ID, IMEI, and IMSI to a single, shared remote web server just after launch and without any prior notice. The aggregate download count of this set of apps amounts to at least several million, probably because they are localized for many languages. It appears the main targets are Japanese users. We detect these apps as Android/GaLeaker.A and its variants.

 

galeaker-2
More than 30 suspicious apps leak Google account IDs, IMEI, and IMSI

 

We have not confirmed why the app developers secretly collect Google account IDs, or how they use them and how they manage the data securely. And we have not so far observed any malicious activities based on the stolen data. But at least these apps should notify users of the collection and of the intended use of their data–and give them opportunity to decline the data transfer.

Android apps can retrieve Google account IDs with GET_ACCOUNTS permission granted at installation and by using one of the methods of the AccountManager class. This permission is often requested when an app uses the Google Cloud Messaging feature, which is a standard mechanism provided by Google to allow server-to-device push notification. As such, users cannot judge if granting this permission is really safe; some apps request this permission for GCM, but others for collecting account information for potentially malicious purposes.

 

galeaker-3e
A GET_ACCOUNTS permission request.

 

Although the account passwords cannot be retrieved in this case, leaking only account IDs still creates several types of risks.

  • Attackers can share account IDs with other malicious parties including email address collectors.
  • Attackers can directly send spam/scam emails to the address.
  • Attackers can break passwords and illegally access accounts if users employ easy-to-guess passwords.
  • Attackers can identify a user’s personal information on social networking services related to Google account IDs, for example, Google+.

Users should be especially careful about registering SNS/communication services using a Gmail address with services that encourage users to be searchable by their email addresses. If users have enabled the feature and make their profiles public, which is the default on many services, an attacker can easily identify personal information using the email address as a search key.

 

galeaker-4
A User’s real name is suggested based using the Gmail address as a search key.

 

With the GET_ACCOUNTS permission granted, Android apps can also retrieve account names for services other than Google that have been registered in the device, including Facebook, Twitter, LinkedIn, Tumblr, WhatsApp, and so on. Users will face these same issues once these other account names are stolen.

 

galeaker-5e
Account names for various services can be easily retrieved.

 

We strongly recommend that users review the privacy settings on all the services they employ and disable the “allow search by email address” option unless they really want it. Users should also not expose their account names in public unless it is necessary.