Popular Android apps have been discovered with gaping security holes that allow them to leak sensitive data, a study in Germany reveals.
Researchers at the Leibniz University and the Phillipps Univerisity of Marburg analysed some 13,500 free apps from the Google Play store and found that a staggering eight per cent of them - 1,074 to be exact - have inadequate protection against malicious threats.
Of these, 100 were tested using a fake Wi-Fi hotspot. 41 of them, with 39.5 million users worldwide, were successfully hacked to steal banking and social media log-in credentials.
According to the report, the apps have incorrect implementations of SSL and TLS encryptions, leaving them vulnerable to so-called ‘Man in the Middle’ (MITM) attacks.
“We could gather bank account information, payment credentials for PayPal, American Express and others,” said the researchers.
“Facebook, email and Cloud storage credentials and messages were leaked, access to IP cameras was gained and control channels for apps and remote servers could be subverted.”
Worse still, the scientists were able to "inject virus signatures into an anti-virus app to detect arbitrary apps as a virus or disable virus detection completely,” leaving them wide open to malware galore.
Although Google has already come out and said that tests conducted on other platforms would yield similar results, there’s clearly a concern that the search giant’s relatively laissez faire approach to vetting app submissions has let some bad 'uns slip through.
Paul Ducklin of security specialists Sophos said: ‘”The barrier of entry to an application that is either badly written or even dodgily written seems to be quite low.
“You can occasionally stumble across stuff which really shouldn't be in the Play Store.”
The exact identities of the offenders are as-yet unknown, but we suspect they are some of the most widely used apps on Google’s OS.
Despite the findings, Google is unlikely to rethink its approval policy. However, with news arriving that a top Homeland Security agency has switched from BlackBerry to iPhones as the official smartphone for employees, snubbing Android in the process, the Big G may have no choice but to act soon.
The Daily Mail