Until recently, Google’s namesake Android app, which has more than five billion installs to date, had a vulnerability that could have allowed an attacker to steal personal data from a victim’s device quietly.
In a blog post, Sergey Toshin, the founder of mobile app security startup Oversecured, said that the vulnerability has to do with how the Google app relies on code that is not bundled with the app itself. Many Android apps, including the Google app, reduce their download size and the storage space needed to run by relying on code libraries already installed on Android phones.
But the flaw in the Google app’s code meant it could be tricked into pulling a code library from a malicious app on the same device instead of the legitimate code library, allowing the malicious app to inherit the Google app’s permissions and granting it near-complete access to a user’s data. That access includes access to a user’s Google accounts, search history, email, text messages, contacts, and call history, and trigger the microphone and camera and access the user’s location.
The malicious app would have to be launched once for the attack to work, Toshin said, but the attack happens without the victim’s knowledge or consent. Deleting the malicious app would not remove the malicious components from the Google app, he said.
A Google spokesperson told TechCrunch that the company fixed the vulnerability last month, and it had no evidence that attackers had exploited the flaw. Android’s in-built malware scanner, Google Play Protect, is meant to stop malicious apps from installing. But no security feature is perfect, and malicious apps have slipped through their net before.
Toshin said the Google app vulnerability is similar to another bug discovered by the startup in TikTok earlier this year. If exploited, it could have allowed an attacker to steal a TikTok user’s session tokens to take control of their account. Oversecured has found several other similar vulnerabilities, including Android’s Google Play app and, more recently, apps pre-installed on Samsung phones.