Android security bug let malicious apps siphon off private user data

A security vulnerability in Android could have allowed malicious apps to siphon off sensitive data from other apps on the same device.

App security startup Oversecured found the flaw in Google’s widely-used Play Core library, which lets developers push in-app updates and new feature modules to their Android apps, like language packs or game levels.

A malicious app on the same Android device could exploit the vulnerability by injecting malicious modules into other apps that rely on the library to steal private information, like passwords and credit card numbers, from inside the app.

Sergey Toshin, founder of Oversecured, told TechCrunch that exploiting the bug was “pretty easy.”

The startup built a proof-of-concept app using a few lines of code and tested the vulnerability on Google Chrome for Android, which relied on a vulnerable version of the Play Core library. Toshin said the proof-of-concept app was able to steal a victim’s browsing history, passwords, and login cookies.

But Toshin said that the bug also affected some of the most popular apps in the Android app store.

Google confirmed the bug, rated 8.8 out of 10.0 for severity, is now fixed. “We appreciate the researcher reporting this issue to us, and as a result it was patched in March,” said a Google spokesperson.

Toshin said app developers should update their apps with the latest Play Core library to remove the threat.

A new Android bug, StrandHogg 2.0, lets malware pose as real apps and steal user data



from TechCrunch https://ift.tt/2D7weHj

Comments

Post a Comment

Popular posts from this blog

Microsoft says it has no plans to add more backward compatible titles for Xbox One, but says Project Scarlett will run games from all four Xbox generations (Tom Warren/The Verge)

Image
Tom Warren / The Verge : Microsoft says it has no plans to add more backward compatible titles for Xbox One, but says Project Scarlett will run games from all four Xbox generations   —  No more Xbox 360 and Xbox additions to the catalog  —  Microsoft is winding down new additions to its Xbox backward compatibility catalog. from Techmeme http://bit.ly/2Iw9XkX
Read more

Internal docs: Facebook employees created a test account in 2019 and within days, it was recommended extreme and conspiratorial content, including QAnon Groups (Brandy Zadrozny/NBC News)

Image
Brandy Zadrozny / NBC News : Internal docs: Facebook employees created a test account in 2019 and within days, it was recommended extreme and conspiratorial content, including QAnon Groups   —  In the summer of 2019, a new Facebook user named Carol Smith signed up for the platform, describing herself as a politically conservative mother … from Techmeme https://ift.tt/3b2bRZh
Read more

Local officials, educators, and advocacy groups are frustrated by refusal of ISPs to provide data on how many customers they signed up via low income programs (Cyrus Farivar/NBC News)

Image
Cyrus Farivar / NBC News : Local officials, educators, and advocacy groups are frustrated by refusal of ISPs to provide data on how many customers they signed up via low income programs   —  Months into the school year, the one thing many families have learned is how much they rely on a functioning internet connection to access remote classrooms. from Techmeme https://ift.tt/32sgVSS
Read more