Popular Android apps leak personal data, study finds
Popular Android apps from the Google Play store are vulnerable to theft of personal details, including emails and bank account logins, according to a new study. As many as 185 million users who downloaded vulnerable applications could be tricked into revealing their personal data, the research indicates.
Researchers at the University of Leibniz and University of Marburg, Germany, tested the top 13,500 popular apps in the Google Play store and identified 41 apps that are prone to SSL certificates attacks. They used a fake Wi-Fi Hotspot and a special attack tool that could spy on the data passing between a smartphone and the website the app is linked to.
In their tests, the researchers were able to capture login credentials for email services, social media sites, online bank accounts, and even corporate networks. They were also able to trick or disable security software on Android and inject malicious code to make apps carry specific commands.
The research paper says: “We have captured credentials for American Express, Diners Club, Paypal, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, IBM Sametime, remote servers, bank accounts, and email accounts. We have successfully manipulated virus signatures downloaded via the automatic update functionality of an anti-virus app to neutralize the protection or even to remove arbitrary apps, including the anti-virus program itself.”
The researchers did not name the vulnerable apps, but they did say that the Facebook app for Android is not prone to the attacks they tested, and it displays meaningful warning messages when a possible attack is taking place. However, they did note that many apps can display abstract warnings during an SSL attack, which could leave users confused. (See also Which Android security tools are worth your time?).
A follow-up survey of 745 people considered whether people are aware when they're browsing over unsecured connections from their phones, leaving them prone to attacks. The results from the non-IT experts showed that almost half thought they were using a secure connection when they were actually not, while 35 percent of IT-educated users also mistook unsecure connections for safe ones.