An Android app that puts user data at risk |
The Google Android app of the same name has been installed more than 5 billion times so far. The application has a vulnerability that could allow an attacker to steal personal information from the victim's device.
Sergei Tushin, founder of mobile app security company Oversecured, said the vulnerability is related to how Google apps rely on code that the app doesn't contain.
Many Android apps (including Google apps) rely on code libraries installed on Android phones to reduce download size and space required to run.
A flaw in the Google app code means that it can be tricked into extracting a malicious app's code base on the same device, rather than a legitimate code base.
This allows the malicious app to inherit permissions from the Google app and gives it near-total access to user data.
This includes access to the user's Google account, search history, emails, text messages, contacts, and call history, as well as the ability to turn on the microphone and camera and access the user's location.
According to Tushin, the malicious application must be run once for the attack to succeed. But the attack took place without the victim's knowledge or consent. Removing malicious apps does not remove malicious components from Google Apps.
Android app repair:
Google fixed the vulnerability last month. There is no indication that the attacker was able to exploit this vulnerability.
The malware scan tool included with Google Play Protect is designed to prevent the installation of malicious apps. But no security feature is perfect: Malware has already penetrated his network.
Tushin said the vulnerability in the Google app is similar to another vulnerability the company discovered in the TikTok app earlier this year. If exploited, an attacker could steal tokens from TikTok users' sessions in order to gain control of their accounts.
Overecured has also discovered several other similar vulnerabilities, including the Google Play app on Android. It has also recently discovered vulnerabilities in apps pre-installed on Samsung phones.