Maildroid security risks?

[baji]

This might just be speculation, but I'd like to share my observations with you folks in regard to Maildroid.

I have a Samsung Captivate, and I've used Maildroid for nearly 5 months. I've noticed in recent weeks that every email account that I have saved in Maildroid has been used by some kind of email spamming group to send out their spam. I know that this has happened, as I have had people I know ask me about strange mails they received from me, and also, I have received automated responses of various types from some addresses.

My original thought was that it must be a virus on my actual desktop computer. But, I've got active AV/AS, and I've done a few thorough scans with alternative software, enough that I am satisfied that the computer is clean. In addition to that, some of these accounts have ONLY been accessed through the phone.

So, I suppose it is one of two things, either I had some kind of malicious bug slip in that was forwarding my username and PW, or there is some kind of security hole in Maildroid that is allowing access to that information. I am inclined to believe that this is something with Maildroid in particular because my Gmail accounts, which are not stored in Maildroid but the stock Gmail app, have not been effected.

I am curious, have any of you folks experienced something similar? With this app? I've changed the passwords to my accounts. I am going to try a different mail app (I should also add, this will be on a brand new phone as my old one broke, so it could muddle my results up) and see if the problem continues.

 

[maildroiddev]

There is nothing in maildroid that I have been alerted to by anyone (in over a year). Note that maildroid is just a client. I connect to the mail server and read mail and send mail. Also, be aware that if this has happened to many people, I would have been alerted a long time ago. If you want to discuss more, you can always email me.

 

[takeshi]

Sounds coincidental. Access to your device or PC isn't required for spoofing, by the way.

 

[baji]

Thanks for the responses, guys. Maildroiddev, I am glad to hear back from the developer, which I assume you are based on your name!

I'm not trying to call you out! I am just trying to piece together the circumstances that are, or have, led to this spoofing situation. I've liked Maildroid in my time using it, as it has been the best mail app I have found for Android. Thus, having heard from you, I will continue to use it. The cause of this spoofing must be related to something else!

 

[maildroiddev]

Thanks for the responses, guys. Maildroiddev, I am glad to hear back from the developer, which I assume you are based on your name!

I'm not trying to call you out! I am just trying to piece together the circumstances that are, or have, led to this spoofing situation. I've liked Maildroid in my time using it, as it has been the best mail app I have found for Android. Thus, having heard from you, I will continue to use it. The cause of this spoofing must be related to something else!

Yes, I am the dev As the other poster mentioned, you can spoof a number of different ways. As always, email me if you have any questions and I will be more than willing to discuss more in detail or answer any specific questions you may have.

 

[epp]

My apologies for replying to an old thread, but I installed Maildroid today on my Android, then uninstalled it.

I have Avast Mobile Security installed. Avast reported privacy issues with Maildroid when it scanned it after installation, but without the Premium version of Avast, it does not tell you what the privacy issues are.

 

[funkylogik]

That happens a lot tbh mate. Security apps false flag another security app :thumbup:
Tbh i dont use the things other than appbrain ad network detector :thumbup:

 

[epp]

That happens a lot tbh mate. Security apps false flag another security app :thumbup:
Tbh i dont use the things other than appbrain ad network detector :thumbup:

As of the current version of Maildroid, it requires the following permissions:

• Storage
• System Tools
• Your Location
• Phone Calls
• Network Communication
• Your Personal Information
• Hardware Controls
• Development Tools

This seems quite a lot for an e-mail app, IMO.

If Avast is reporting a false positive, the developer needs to get in touch with Avast to rectify this.

At first glance, why would an e-mail app want information about phone calls??

 

[funkylogik]

Usually that permission is used so that an app knows to sleep when you make/recieve a call.
Im not disagreeing with you but you have to sometimes think of permissions in an abstract way.
Most devs will explain them fully in a link in description or if you email them :thumbup:
Ive had what i think was a virus with Avast installed and no warnings.
Personally i think android is fairly safe. You have to CHOOSE to install a virus but i understand other peoples concerns :beer:

 

[Hadron]

Checking permissions is better than relying on some "privacy advisor" which is probably just doing the same thing. I'd think any mail app would trigger a privacy warning because, by definition, it can access messages.

As Funky says, the phone permission is usually more benign than it appears. Personally I'd be more curious about why it wants my location, but as the paid version doesn't have that I guess it's for ad support.

 

[epp]

I did some digging on this and it appears that the "phone calls" permission I referenced, is there by default, if the developer is targeting Android 1.5 and earlier. http://stackoverflow.com/questions/...ons-phone-calls-read-phone-state-and-identity

If the app is being installed on a phone with Android 1.6 and later, the permission is there - as long as the target OS goes back to 1.5 and earlier.

However, the current Google Play description for Maildroid shows it requires Android 2.1 and up. Google Play store descriptions make no mention of a target version anywhere.