Discovering a vulnerability in Android |
App Security has detected a vulnerability in Google's Android system that allows malicious apps to extract sensitive data from other apps on the same device.
More secure individuals have discovered a vulnerability in the widely used Google Play Core library that allows developers to push in-app updates and new feature packages to Android apps such as language packs or game levels.
Malicious apps on the Android device itself can exploit this vulnerability by inserting malicious modules into other apps that rely on the library to steal private information such as passwords and credit card numbers. From the application.
Founder Sergei Tuchin told TechCrunch that exploiting this vulnerability was "extremely easy". The startup used a few lines of code to create a proof-of-concept app and tested the vulnerability in Google Chrome browser on Android, which relies on a weak version of the Play Core library.
According to Tuchin, the proof-of-concept app was able to steal the victim's browser history, password, and login cookies. However, Toshen said: The vulnerability also affects some of the most popular apps on the Android App Store.
Google has confirmed that the vulnerability (with a severity rating of 8.8 out of 10) has been resolved. A Google spokesman said: "We thank the researchers for informing us of this problem and resolving it in March."
Toshen said app developers should update their apps to the latest version of the Play Core library to remove threats.