Popular Android apps expose millions of users to cyber criminals

Hundreds could allow hackers to steal data and remotely install malware on to smartphones

Aatif Sulleyman
Wednesday 03 May 2017 09:39 EDT
Comments
'These vulnerabilities can be exploited to cause severe damage,' say the researchers
'These vulnerabilities can be exploited to cause severe damage,' say the researchers (Getty)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Hundreds of Google Play apps are potentially exposing Android users to hackers, according to a new study.

University of Michigan researchers used a custom-built tool called OPAnalyzer to scan 24,000 apps, and found 410 that could allow cyber criminals to steal users’ data and remotely install malware onto smartphones.

Several of those apps are extremely popular, having been downloaded by millions of users. One even comes pre-installed on some phones.

The issue concerns unprotected open ports, which are already known to pose a threat to computers.

“An open port (or a listening port) is a communication endpoint for accepting incoming connections in computer networking model, typically used by server applications to handle requests from remote clients,” explains the report.

“However, these ports can also be connected by malicious clients if not carefully protected, exposing potential vulnerability in the server software to remote exploitation.”

The 410 apps pinpointed by the researchers all create open ports on the smartphones they’re installed on, leaving users’ data vulnerable to thieves.

A small-scale scan carried out by the researchers took just two minutes to find 40 mobile devices potentially using the affected apps.

“From the identified vulnerable usage, we discover 410 vulnerable applications with 956 potential exploits in total,” the report reads. “We manually confirmed the vulnerabilities for 57 applications, including popular ones with 10 to 50 million downloads on the official market, and also an app that is pre-installed on some device models.

“These vulnerabilities can be exploited to cause highly severe damage such as remotely stealing contacts, photos, and even security credentials, and also performing sensitive actions such as malware installation and malicious code execution.”

The researchers haven’t named the apps, but say that the vulnerabilities have been reported.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in