— — Apps

A security bug in Google’s Android app put users’ data at risk – TechCrunch

1 Mins read

Until recently, Google’s namesake Android app, which has more than five billion installs to date, had a vulnerability that could have allowed an attacker to steal personal data from a victim’s device quietly.

In a blog post, Sergey Toshin, the founder of mobile app security startup Oversecured, said that the vulnerability has to do with how the Google app relies on code that is not bundled with the app itself. Many Android apps, including the Google app, reduce their download size and the storage space needed to run by relying on code libraries already installed on Android phones.

But the flaw in the Google app’s code meant it could be tricked into pulling a code library from a malicious app on the same device instead of the legitimate code library, allowing the malicious app to inherit the Google app’s permissions and granting it near-complete access to a user’s data. That access includes access to a user’s Google accounts, search history, email, text messages, contacts, and call history, and trigger the microphone and camera and access the user’s location.

The malicious app would have to be launched once for the attack to work, Toshin said, but the attack happens without the victim’s knowledge or consent. Deleting the malicious app would not remove the malicious components from the Google app, he said.

A Google spokesperson told TechCrunch that the company fixed the vulnerability last month, and it had no evidence that attackers had exploited the flaw. Android’s in-built malware scanner, Google Play Protect, is meant to stop malicious apps from installing. But no security feature is perfect, and malicious apps have slipped through their net before.

Toshin said the Google app vulnerability is similar to another bug discovered by the startup in TikTok earlier this year. If exploited, it could have allowed an attacker to steal a TikTok user’s session tokens to take control of their account. Oversecured has found several other similar vulnerabilities, including Android’s Google Play app and, more recently, apps pre-installed on Samsung phones.

683 posts

About author
Tristan McCue is a 26-year-old junior programmer who enjoys reading, binge-watching boxed sets, and appearing in the background on TV. He is smart and friendly, but can also be very evil and a bit lazy.He is an Australian Christian. He has a post-graduate degree in computing.
Articles
Related posts
— — Apps

Google abused dominant position of Android in India, antitrust probe finds – TechCrunch

1 Mins read
Google has abused the dominant position of Android in India to illegally hurt competitors in the world’s second-largest internet market, a two-year…
— — Apps

Google’s R&D division experiments with newsletters powered by Google Drive – TechCrunch

2 Mins read
Following entries into the newsletter market from tech companies like Facebook and Twitter, Google is now experimenting with newsletters, too. The company’s…
— — Apps

News aggregator SmartNews raises $230 million, valuing its business at $2 billion – TechCrunch

3 Mins read
SmartNews, a Tokyo-headquartered news aggregation website and app that’s grown in popularity despite hefty competition from built-in aggregators like Apple News, today…
Get All Latest Blog Direct In Your Website

Leave a Reply

Your email address will not be published.