With any open platform, risks are abundant. Outages, breaches and of course, malware built into applications can run rampant without any sort of check and balance system. It is one of the reasons the Google Play store can be as dangerous as a minefield, and we've been reporting on the problems that have been plaguing the Google app store for over a year. Android devices have been hijacked by innocent-looking apps, with security attacks growing each quarter and the problems have even shown up on Chromebooks. Now, researchers have reported that the applications from the Android marketplace have put banking account information, social network and email passwords at risk. It is estimated that the problems affect as many as 185 million people, assuming each person downloaded only one of the affected apps one time.
Germany's research teams at Leibniz University of Hannover and Philipps University of Marburg found that 41 apps that were available in the Play store last week are leaking your private information as the data moves from your smartphone to the servers. The group was able to remake a scenario using a local area network and already-known exploits to prove their findings. They said,
We could gather bank account information, payment credentials for PayPal, American Express and others. Furthermore, Facebook, email and cloud storage credentials and messages were leaked, access to IP cameras was gained and control channels for apps and remote servers could be subverted.
We have more on this major issue and examples of the vulnerabilities after the break.
In the interest of security, the German team has not disclosed which specific apps are doing this, but said that they have been downloaded up to 185 million times. They also reported on several examples of the issues that are at hand.
- An anti-virus app that accepted invalid certificates when validating the connection supplying new malware signatures. By exploiting that trust, the researchers were able to feed the app their own malicious signature.
- An app with an install base of 1 million to 5 million users that was billed as a "simple and secure" way to upload and download cloud-based data that exposed login credentials. The leakage was the result of a "broken SSL channel."
- A client app for a popular Web 2.0 site with up to 1 million users, which appears to be offered by a third-party developer. It leaked Facebook and Google credentials when logging in to those sites.
- A "very popular cross-platform messaging service" with an install base of 10 million to 50 million users exposed telephone numbers from the address book.
While these issues are very big, it appears from their report (PDF) that they mostly pertain to third-party apps and not apps downloaded or created by the websites they link to directly (i.e., Facebook, Bank of America, etc). Still, it is quite alarming to see that these apps have been downloaded so many times. I guess I shouldn't be surprised though, given the nature of most Android users and their habit of downloading just about anything. The good news is that the German researchers have suggested numerous ways to fix the issues that exist inside the apps. We can only hope the developers care enough to do it and will keep you updated on the happenings. For now, it's just another Google marketplace exploit that we've come to expect.