Published On: Sun, Jun 20th, 2021

A confidence bug in Google’s Android app put users’ information during risk

Until recently, Google’s namesake Android app, that has some-more than 5 billion installs to date, had a disadvantage that could have authorised an assailant to sensitively take personal information from a victim’s device.

Sergey Toshin, owner of mobile app confidence startup Oversecured, pronounced in a blog post that a disadvantage has to do with how a Google app relies on formula that is not bundled with a app itself. Many Android apps, including a Google app, revoke their download distance and a storage space indispensable to run by relying on formula libraries that are already commissioned on Android phones.

But a smirch in a Google app’s formula meant it could be duped into pulling a formula library from a antagonistic app on a same device instead of a legitimate formula library, permitting a antagonistic app to get a Google app’s permissions and extenuation it near-complete entrance to a user’s data. That entrance includes entrance to a user’s Google accounts, hunt history, email, content messages, contacts and call history, as good as being means to trigger a microphone and camera, and entrance a user’s location.

The antagonistic app would have to be launched once for a conflict to work, Toshin said, though that a conflict happens but a victim’s believe or consent. Deleting a antagonistic app would not mislay a antagonistic components from a Google app, he said.

A Google orator told TechCrunch that a association bound a disadvantage final month and it had no justification that a smirch has been exploited by attackers. Android’s in-built malware scanner, Google Play Protect, is meant to stop antagonistic apps from installing. But no confidence underline is perfect, and antagonistic apps have slipped by a net before.

Toshin pronounced a Google app disadvantage is identical to another bug detected by a startup in TikTok progressing this year, that if exploited could have authorised an assailant to take a TikTok user’s event tokens to take control of their account.

Oversecured has found several other identical vulnerabilities, including Android’s Google Play app and, some-more recently, apps pre-installed on Samsung phones.

Security flaws found in Samsung’s batch mobile apps

The do’s and don’ts of bug annuity programs with Katie Moussouris

 

About the Author