Editor’s Note: This app shows “no evidence of malicious behavior,” researchers say.  It is, however, being regarded as suspicious.  Read about that here.

According to mobile security firm Lookout, a questionable Android wallpaper app that collects data and sends it to a mysterious website based in China has been downloaded by millions of users.

Apps that seem good but could actually be stealing your data are a huge risk as mobile apps are skyrocketing on smartphones, said John Hering, chief executive, and Kevin MaHaffey, chief technology officer of Lookout, in their talk at the Black Hat security conference yesterday.  

“Even good apps can be modified to turn bad after a lot of people download it,” said MaHaffey.  “Users absolutely have to pay attention to what they download. And developers have to be responsible about the data that they collect and how they use it.”

This particular application came from Jackeey Wallpaper, and it was uploaded to the Android Market, where millions of users have already downloaded it.  Users install the app to decorate their Android phone with one of the wallpapers that come with the app.

It collects your your phone’s SIM card number, subscriber identification, and your voicemail password, if it is programmed into your phone.  All of this data is sent to a website, www.imnet.us.  The website is owned by someone in Shenzhen, China.  The app has been downloaded between 1 and 5 million times (the Market does not provide exact numbers).  When you download the app, it requests permission to access “Phone Calls,” but that doesn’t really give you a clear warning that your data is about to be stolen.

According to Lookout, 47 percent of Android apps access some kind of third-party code, while 23 percent of iPhone apps do.  This third party code is often used for serving ads within the app.  Often, apps will need access to that extra information to better gear ads toward you.  For example, knowing your location helps serve ads of businesses in your area.

Hering said that Google and Apple are both good at policing their app stores and fighting malware, but it’s hard to say what will happen to an app like this, when it’s unclear why it’s doing what it’s doing.

[MobileBeat, Lookout]