Article 57F59 Android security bug let malicious apps siphon off private user data

Android security bug let malicious apps siphon off private user data

by
Zack Whittaker
from Crunch Hype on (#57F59)

A security vulnerability in Android could have allowed malicious apps to siphon off sensitive data from other apps on the same device.

App security startup Oversecured found the flaw in Google's widely used Play Core library, which lets developers push in-app updates and new feature modules to their Android apps, like language packs or game levels.

A malicious app on the same Android device could exploit the vulnerability by injecting malicious modules into other apps that rely on the library to steal private information, like passwords and credit card numbers, from inside the app.

Sergey Toshin, founder of Oversecured, told TechCrunch that exploiting the bug was pretty easy."

The startup built a proof-of-concept app using a few lines of code and tested the vulnerability on Google Chrome for Android, which relied on a vulnerable version of the Play Core library. Toshin said the proof-of-concept app was able to steal a victim's browsing history, passwords and login cookies.

But Toshin said the bug also affected some of the most popular apps in the Android app store.

Google confirmed the bug, rated 8.8 out of 10.0 for severity, is now fixed. We appreciate the researcher reporting this issue to us, and as a result it was patched in March," said a Google spokesperson.

Toshin said app developers should update their apps with the latest Play Core library to remove the threat.

A new Android bug, StrandHogg 2.0, lets malware pose as real apps and steal user data

Techcrunch?d=2mJPEYqXBVI Techcrunch?d=7Q72WNTAKBA Techcrunch?d=yIl2AUoC8zA Techcrunch?i=ljKtlm04s-Y:6_Amo9S-Dqo:-BT Techcrunch?i=ljKtlm04s-Y:6_Amo9S-Dqo:D7D Techcrunch?d=qj6IDK7rITsljKtlm04s-Y
External Content
Source RSS or Atom Feed
Feed Location http://feeds.feedburner.com/TechCrunch/
Feed Title Crunch Hype
Feed Link https://techncruncher.blogspot.com/
Reply 0 comments