Researchers have recently discovered hundreds of vulnerable apps on Google Play Store which are allowing hackers to inject them with malicious code which, upon downloading, steal all data from an infected Android device.
The problem, according to the researchers [PDF] is that some of the apps are creating open ports on smartphones, which is not a new problem since the same issue was faced by computers but it is something new when it comes to smartphone technology.
A team from the University of Michigan has tried to use a custom tool for scanning more than 24,000 applications, and 410 of them were found to be flawed. At least one of those apps has been downloaded so many times that there are potentially millions of Android devices which are vulnerable.
Researchers also stated: – “These newly discovered exploits can lead to a large number of severe security and privacy breaches. For example, remotely stealing sensitive data such as contacts, photos, and even security credentials and performing malicious actions such as executing arbitrary code and installing malware remotely.”
The biggest problem lies with the apps that are used for file transfer between smartphones and computers via WiFi. The flawed security is allowing more than just the devices’ owner to access the transfer and the devices themselves. Furthermore, apps which allow services like WiFi File Transfer, are estimated to have been downloaded between 10 and 50 million times. When the Michigan team decided to scan the campus network to determine how many devices can be found in this flaw; after only 2 minutes they were able to discover a number of vulnerable devices.
“To get an initial estimate on the impact of these vulnerabilities in the wild, we performed a port scanning in our campus network, and immediately found a number of mobile devices in 2 minutes which were potentially using these vulnerable apps,” according to the team.
Moreover, it was found that 57 of the 410 apps are truly vulnerable and they have even demonstrated how the attacks work by explaining that the “app opens ports by default and no client authentication or incoming connection notifications are engaged, which put the device user in severe danger.”
Basically, the apps are leaving open doors for any malicious code and not many of those would miss such an invitation. Google is yet to comment on the current situation. So far, the only way to fix this problem would be to uninstall these apps and this should not be difficult. However, this is something that should be fixed ASAP to avoid further problems.