Search

Google’s Own Android App—With 5 Billion Installs—Was Vulnerable To A Privacy Destroying Hack - Forbes

https://ift.tt/2KSW0PQ

Google’s Android app, with more than 5 billion downloads, has been patched after a researcher found it was vulnerable to an attack that could have allowed hackers to obtain sensitive data from users’ phones, from Gmail messages to search history. Users should ensure they’re running the latest version of the app to avoid being hit by any real-world attack, the researcher said.

Exploiting the weaknesses to pilfer information from a user’s phone or tablet would also require that another rogue app was installed on the device. Plenty of malware of that kind exists and is aimed at Google’s smartphone operating system. The vulnerabilities in the Android app, first discovered by Sergey Toshin, the Moscow-based founder of smartphone security startup Oversecured, resides in the way it loads code from other parts of the operating system. Android software will often use code from either different apps or files on the operating system to launch certain features. If a hacker can poison that process, as Toshin did in his proof-of-concept hack, they can trick an app into grabbing malicious code, which can potentially steal data or abuse the tool’s processes.

To do this with the Google Android software, Toshin combined three different vulnerabilities “for maximum impact.” When exploited together, it was possible to add new, malicious code to the Google Play Core library, which was being used by Google’s Android app. When that malware was accessed by the app, it could start grabbing data or hijacking its functions. “It will become part of the app with access to all resources and features,” Toshin said.

“The attacker’s app needed to launch only once for this attack to succeed. After that, even if the app was removed, the malicious functionality would continue to be present in the Google app independently,” the 24-year-old researcher wrote in a report handed to Forbes ahead of publication on Thursday.

Any attack on Google’s own app would be particularly potent, given the access it has to much of the data on a smartphone. That includes a user’s search history and whatever they looked for using the voice assistant. The app also has permission to intercept app rights, meaning a hacker exploiting the vulnerabilities could read and send text messages, access contacts and call history, make and receive calls, turn on the microphone or camera, and grab the user’s location. This would all happen silently, without any user consent or notice. 

Such weaknesses are not uncommon and have been seen in apps from major tech companies before. Toshin, for instance, found a similar issue in TikTok’s Android app.

Toshin said that he informed Google in February and was rewarded by the tech giant with a $5,000 bug bounty. 

Google said the issue was patched in May. If users have automatic updates on, they shouldn’t have to do anything. For others, they will have to manually update the app. “We created our Vulnerability Rewards Program specifically to identify and fix vulnerabilities like this one. We are appreciative of Oversecured and the broader security community’s participation in these programs. We rolled out a fix to our users more than a month ago and have not seen any evidence of exploitation.”

Adblock test (Why?)



"Android" - Google News
June 17, 2021 at 09:00PM
https://ift.tt/35Cj4fP

Google’s Own Android App—With 5 Billion Installs—Was Vulnerable To A Privacy Destroying Hack - Forbes
"Android" - Google News
https://ift.tt/336ZsND
https://ift.tt/2KSW0PQ

Bagikan Berita Ini

0 Response to "Google’s Own Android App—With 5 Billion Installs—Was Vulnerable To A Privacy Destroying Hack - Forbes"

Post a Comment


Powered by Blogger.