A security firm found a serious flaw that allowed nefarious actors to exploit Android apps in order to secretly steal users’ private data…
Another Android security vulnerability could have let malicious mobile applications siphon off sensitive data from other apps on the same device. This, according to security researchers at startup Oversecured, who discovered the exploit inside Google’s widely used Play Core library. (The tech that allows developers push in-app updates, along with new feature modules, to their Android software creations, such as language packs or game levels.)
Android Security Flaw Allowed Malicious Apps to Steal Private User Data
Sergey Toshin, founder of Oversecured, says that a malicious app, when installed on a device, could inject malware into other legitimate apps that rely on the Google Play Core library in order to steal private information, including login credentials and payment numbers stored inside the target apps. To demonstrate this, the security team built a proof-of-concept app and unleashed it. The proof-of-concept app then stole things like the victim’s browsing history, login credentials, and login cookies.
Oversecured shared their findings with Google. Afterward, Google confirmed the bug’s existence, and assigned it a rating of 8.8 out of 10 for severity. Google has since applied a fix. Although the flaw has been fixed, Toshin still strongly recommends developers update their apps with the latest Play Core library to ensure the threat is removed.