Android’s security flaw allows malicious apps to steal user data

Sensitive data on Android phones could have been stolen by apps using a security vulnerability which is present on most Android devices.

Oversecured, an app security startup, found a flaw in the widely used Play Core library that allows app developers to deploy in-app push updates and new features modules to their apps, in forms like language packs or game levels.

A malicious app on the Android device could be used to take advantage of the vulnerability by introducing malicious modules into other apps that use the same library. Consequently, the malicious app developer can then steal private information like credit card numbers and passwords.

Easily exploited

According to Oversecured’s founder, Sergey Toshin, exploiting this flaw is easy. His company built a proof of concept app to test the vulnerability on Google Chrome for Android, which relied on the flawed library.

Toshin said that their app was able to steal browser histories, login cookies, and passwords. He added that the bug affected some widely-used apps on the Android app store.

The bug, which received an 8.8/10 severity rating, was fixed by Google. They appreciated the report informing them of the bug, which led to its patching in March. Toshin recommended that app developers should use the updated Play Core library to remove the vulnerability.

An earlier malicious threat

Recently, another bug, dubbed StrandHogg 2.0, allowed malware to pose as real apps on an Android device and steal sensitive user data. The malware imitates legitimate apps, and once users run it on their device, it proceeds to give the makers access to everything.

The name is derived from a Norse term that means hostile takeover and affects all Android 9.0 devices and earlier.

Though it does not seem like the bug was used in major hacking campaigns, it is alarming that such flaws go undetected for so long.