Security bug in Google’s Android app puts user data at risk – TechCrunch
Until recently, Google’s namesake Android app, which has more than five billion installs to date, had a vulnerability that could have allowed an attacker to stealthily steal personal data from a victim’s device. .
Sergey Toshin, founder of mobile app security startup Oversecured, said in a blog post that vulnerability has to do with how the Google app relies on code that does not come with the application itself. Many Android apps, including the Google app, are reducing their download size and storage space needed to run by relying on code libraries already installed on Android phones.
But the loophole in the code of the Google app meant that it could be tricked into extracting a code library from a malicious app on the same device instead of the legitimate code library, allowing the malicious app to inherit permissions from the Google app and grant it almost full access to a user’s data. This access includes access to a user’s Google Accounts, search history, emails, text messages, contacts, and call history, as well as the ability to trigger the microphone and camera. and access the user’s position.
The malicious application would have to be launched once for the attack to work, Toshin said, but the attack to occur without the victim’s knowledge or consent. Removing the malicious app would not remove malicious components from the Google app, he said.
A Google spokesperson told TechCrunch that the company patched the vulnerability last month and has no evidence that the flaw was exploited by attackers. Android’s built-in malware scanner, Google Play Protect, is intended to prevent the installation of malicious apps. But no security feature is perfect, and malicious apps have already crept in.
Toshin said the Google app vulnerability is similar to another bug discovered by the TikTok startup earlier this year, which, if exploited, could have allowed an attacker to steal session tokens. ‘a TikTok user to take control of their account.
Oversecured has discovered several other similar vulnerabilities, including Android’s Google Play app and, more recently, preinstalled apps on Samsung phones.