As many as 4 million people downloaded data-stealing Android app

A seemingly innocuous Android app that let users change their phone’s wallpaper has actually been stealing private user information and may have been downloaded millions of times.

Mobile security firm Lookout unearthed the truth behind the deceitful app and presented its findings at the Black Hat security technology conference in Las Vegas, as reported by Venture Beat.

Users should be concerned if they downloaded an app from “Jackeey Wallpaper.” While it does perform the functions described in the app download page, it also ends up taking the phone’s Internet browser history, mobile phone number, every single text message, and voicemail password. That information is then sent to a website based in Shenzhen, China.

It’s a concern that Android users must face. Unlike Apple’s crazily stringent app approval process, Android developers have nearly free reign over what they can put up on the Android Market.

However, users can protect themselves. Before downloading an app, users are made aware of what kind of sensitive information and controls the app has access to. And an app that supposedly does nothing but change the phone’s wallpaper should not be accessing mobile phone records.

Nonetheless, those warning screens are easy to just bypass without much thought. Lookout reports than anywhere between 1.1 million and 4.6 million people downloaded the misleading phishing app, making it one of the most high-profile malicious apps on the platform so far.