As posted on Whoops. Millions of Android phones are wide open to hackers
All is not well in Google Play.
A group of researchers has determined that hundreds of apps in the store have a gaping security hole that potentially allows hackers to implant malware and steal data from millions of Android smartphones.
According to a paper detailing the alleged flaw, the problem lies within apps that create open ports on cellphones. This is a known and understood problem with computers, but hasn’t before been systematically studied in smartphones. The University of Michigan team used a custom tool to scan 24,000 apps and found 410 potentially vulnerable applications — at least one of which has been downloaded millions of times.
“These newly discovered exploits can lead to a large number of severe security and privacy breaches,” the group explains. “For example remotely stealing sensitive data such as contacts, photos, and even security credentials and performing malicious actions such as executing arbitrary code and installing malware remotely.”
The main problem appears to be with apps like WiFi File Transfer, which lets users connect to a port on their phone via Wi-Fi and access its contents. The apps make it easy to transfer files from a phone to a computer, but because of insufficient security the ability to do so is apparently not limited to merely the device’s owner.
WiFi File Transfer has been installed between 10 million and 50 million times, meaning this problem is not just theoretical — a fact the University of Michigan researchers didn’t have to look far to confirm.
“To get an initial estimate on the impact of these vulnerabilities in the wild, we performed a port scanning in our campus network, and immediately found a number of mobile devices in 2 minutes which were potentially using these vulnerable apps.”
The researchers manually confirmed that 57 of the 410 apps were indeed vulnerable, and demonstrated various attacks in a series of videos showing how the “app opens ports by default and no client authentication or incoming connection notifications are engaged, which put the device user into severe danger.”
The apps appear to leave the security barn door wide open, in other words, and malicious actors can stroll right in.
We reached out to Google for comment, but received no response as of publication.
The good news is that there is an easy fix if you have one of these potentially vulnerable applications: Uninstall it. Unfortunately, unless the problem is systematically addressed, this is a vulnerability that will be with us for a long time to come.