In previous lists of dangerous Android apps, SecurityWatch has looked at mobile apps that stealthily sign you up for premium-rate SMS services, demand a lot of permissions, and collect data from minors. This week's list is a bit of a grab bag, with unnecessary permissions, phone numbers leaked, and a company issuing vague warnings of potential problems.

As always, SecurityWatch recommends you consider what the apps do and make an informed decision about keeping or removing the app.

[1] Iron Man 3 Live Wallpaper

Iron Man 3 Live Wallpaper lets users download sticker widgets for the home screen, display Iron Man as the wallpaper, and animate Iron Man's Arc Reactor to show your device's battery status. "He's perfectly patriotic, so wave your device with Iron Patriot set to your homescreen in the air during the fireworks displays at all of the Independence Day festivities!" reads the description on Google Play.

The wallpaper app also requests two permissions related to your text messages—one to access your text messages and the other to read your text messages. "You may consider this inappropriate, depending on the app," BitDefender warns.

It appears the wallpaper will "repulsor blast you a head's up" to notify you when you receive a text message. SecurityWatch leaves it up to the reader to decide whether that is necessary functionality for a wallpaper.

[2] Facebook for Android

The official Facebook for Android app is leaking your phone number without your permission, Symantec said last week.

Symantec's new Norton Mobile Insight tool flagged the official Facebook application for transfering the device phone number without user permission. It turns out that the first time a user launched the Facebook app—even before the user has even logged into the social network—the app sent the device phone number to Facebook servers. Even if you didn't have a Facebook account, if your phone came with the app pre-installed and you accidentally launched it, off went your phone number.

Facebook told Symantec the issue will be fixed in the next update.

[3] PokeCreator

Watch out for your Pokemon! PokeCreator from developer TCHU lets you create custom Pokemon and wirelessly send them to your consoles to use in various Pokemon games. According to the description on Google Play, the app claims to be compatible with Pokémon Black 2/White 2, Black/White, HeartGold/SoulSilver, Diamond/Pearl and Platinium. Nintendo over the weekend warned in a Japanese statement that characters created with app conflicted with certain games and software.

Nintendo will not restore systems damaged by using the custom characters, the company said. We have yet to hear of cases where Nintendo DS or 3DS consoles were damaged because of custom Pokemon created by PokeCreator, though. Just know the risks before you plunk down that $0.99 for the app.

Further Reading

Security Reviews