Table of Contents
A number of Android apps contain bugs that may have exposed sensitive information of more than 100 million users, making them a lucrative target for malicious actors.
In a report published today and shared with The Hacker News, Check Point researchers said that millions of users’ private information were exposed by not following best practices when configuring and integrating third-party cloud services.
“In some cases, this type of misuse only affects the users, however, the developers were also left vulnerable. The misconfigurations put users’ personal data and developer’s internal resources, such as access to update mechanisms, storage, and more at risk.”
Study results come from examining 23 Android apps from the official Google Play Store such as Astro Guru, iFax, Logo Maker, Screen Recorder, and T’Leva, some of which have received up to 10 million downloads.
Check Point’s analysis
In Check Point’s analysis, the issues result from misconfigured real-time databases, push notifications, and cloud storage keys, resulting in the loss of email, phone numbers, text messages, location, passwords, backups, and browser histories, as well as photos.
They say that because the database was not protected by authentication, researchers were enabled to obtain the sensitive information of T’Leva users, including texts exchanged between drivers and passengers and full names, phone numbers, and pickup and destination locations.
How bad actors exfiltrate data?
In addition, the researchers discovered that app developers embedded keys necessary to send push notifications and access cloud storage directly into their apps. It would provide an easier path for bad actors to perpetrate rogue actions such as sending an erroneous alert to all users on behalf of the developer and potentially directing unsuspecting users to malicious sites, thus opening the door to more sophisticated threats.
The researchers discovered that exposing cloud storage access keys to unauthorized parties can also enable adversaries to use all data stored in the cloud, as it did in two apps, Screen Recorder and iFax since the researchers could view screen recordings and faxed documents.
According to Check Point researchers, only a few apps changed their configuration as a result of responsible disclosure, suggesting that users of other apps can still be at risk of fraud and identity theft, as well as leveraging stolen passwords to gain access to other accounts fraudulently.
Aviran Hazum, Check Point’s manager of mobile research, said:
“Ultimately, victims become vulnerable to many different attack vectors, such as impersonations, identify theft, phishing and service swipes, sheds light on a disturbing reality where application developers place not only their data but their private users’ data at risk.”