UPDATE – Security experts and mobile developers are warning Android users to steer clear of an app purporting to be an Android version of Apple’s iMessage technology. The app has been pulled from Google Play according to a Google spokesperson, but it remains available on several third party sites.

The free program is not from Apple, instead it is credited to a Daniel Zweigart, who dropped the app onto third party sites, including download.com. While the app does apparently connect Android users to Apple users and allow them to message one another, there’s more under the covers that has experts concerned.

Jay Freeman, a mobile developer who runs a consultancy called SaurikIT, said that while iMessage Chat does connect to Apple, all the data used with the app is processed on the developer’s server, which is hosted in China.

“This not only means that Apple can’t just block them by IP address,” Freeman wrote on his Google+ page, “but also that they get to keep the ‘secret sauce’ on their servers (and potentially just run Apple code: there are some parts of the process in Apple’s client code that is highly obfuscated).

“Clearly, this is suboptimal from a security perspective,” Freeman said.

The developer could be collecting not only message content on their end, but user names, passwords and possible Apple ID account information including credit card numbers.

Another mobile developer, Steven Troughton Smith of Dublin, wrote that the app is also capable of downloading additional Android APKs in the background, including malicious programs.

“I can definitely confirm it can download APKs and patches in the background,” said software engineer Adam Bell of Canada. “As far as I saw no credit card info is touched (locally on the device anyway), but when you log in or send an iMessage, all data is sent to a server in China first, acting of some sort of MITM, so who knows what they’re doing with that.”

Bell also said that the app spoofs chat requests as a Mac mini.

“It may be that they’re using Mac Minis to forward the requests, or it may be just as simple as hiding the extra phone traffic as Mac Minis to go unnoticed,” Bell said.

A request for comment from Google was not returned upon publication.

The app had been available for less than a month on Google Play, yet it was downloaded at least 10,000 times. The reviews, however, are not stellar with one- and two-star reviews far outpacing five-star reviews.

Updated at 1:45 p.m. with confirmation from Google that the app has been pulled from Google Play.

Image courtesy Doug Belshaw

Categories: Mobile Security