Yesterday Android Authority’s Bogdan Petrovan highlighted several security concerns about the iMessage Chat app that had appeared in the Play Store. The app was supposedly created to give Android users the ability to chat with users of Apple’s popular messaging service. However this potentially useful app seemed to have a darker side including some surreptitious communications with a server in China. Thankfully Google seems to have taken note and the app has now been removed from the Play Store.
The app was designed in such a way that everything was first sent to a server in China which in turn replied with the correct protocol that the phone should pass on to Apple’s servers. Jay Freeman (Saurik), the creator of the Cydia platform, speculated that this could allow the app’s designer to harvest Apple login credentials and allow attackers to take control of users’s accounts and so on. Another problem with the app is that its permissions allowed it to download and install other apps in the background, a sure way for the app creator to sneak some malware on to a device.
The app first appeared on Google Play on September 12th, however it has now been removed. As you can see from the screenshot an example name used by the app is “HuLuWa” and someone using that moniker did reply to Saurik’s G+ post and offered to release the source code for the app. However further questions directed at them including questions about the stealing of Apple IDs remained unanswered. HuLuWa was also the name of the developer’s site (as listed in Google Play) and at the moment huluwa.org is offline. Messages left on Hu LuWa’s Google+ page have also remained unanswered.
A Google spokeswoman confirmed in an email to Computerworld that the company had pulled the app saying “we remove apps from Google Play that violate our policies.”
However one question now remains, if there was a legitimate iMessage app for Android would you use it?