A new day, a new threat to Android devices. Over 100 million Android devices with more than two dozen apps installed were found leaking user data in an unrestrained manner. A team of security researchers at Check Point Research has released a list of apps -- some of them are quite popular and have a huge install base -- that are full of vulnerabilities that hackers can harness to steal personal information from Android devices, including smartphones and tablets. Worse, the personal data of millions of users is available on real-time databases linked to these Android apps.
In its report, the Check Point Research team has pointed out that some of these vulnerable apps specialised in astrology, fax, taxi services, and screen recording. The researchers have pointed out at least three apps from this list. They are Astro Guru - a popular astrology, horoscope, and palmistry app, T'Leva, a taxi-hailing app with over 50,000 downloads, and Logo Maker, a logo-designing app. The personal data that is at risk because of the vulnerability in these apps includes emails, passwords, names, dates of birth, gender information, private chats, device location, user identifiers, among others.
An app that takes user information has a real-time database that stores all the data from the users. According to Check Point Research, "Real-time database allows application developers to store data on the cloud, making sure it is synched in real-time to every connected client." But because some developers overlooked the security of the database, there lies a vulnerability and this misconfiguration leaves the entire repository prone to identity theft, service-swipe, and ransomware. And since a large number of apps on this list are quite popular, there is a potential for a big-scale attack.
Storing data is one thing, but because all these apps are linked to real-time databases, the vulnerability leaves the exchange of chat messages, as it happens, prone to hack. Researchers were able to fetch chat messages between taxi drivers and passengers on the T'Leva app, along with their full names, phone numbers, and locations -- all by sending just one request to the database. Imagine how weak the security of these databases is. And to make things even worse, some of the apps had both "read" and "write" permissions turned on, making it easy for unwanted people to gain access. "This alone could compromise an entire application, not even considering the hit to the developer's reputation, their user-base, or even their relationship with the hosting market," said the report.
The vulnerability in these apps can also allow hackers to access the push notification manager. Hackers can send notifications to these apps on behalf of their developers. Since the notification is received in the name of the installed app on an Android phone, users of these apps may not be able to suspect a thing and tap on these notifications unknowingly. Imagine a news app with a notification masquerading as a link to a suspicious website that may hack into the phone or steal information from you.
The Check Point Research team has mentioned several ways this vulnerability in the apps can be utilised by hackers to target millions of users. Right now, it is advisable to delete these apps immediately from your phone. Only after the fixes to these apps have been rolled out, can you download them again.
Copyright©2021 Living Media India Limited. For reprint rights: Syndications Today