LISTEN TO TLR’S LATEST PODCAST:
By Eric Lieberman
Thousands of applications on Google’s Android operating system “collude” to share users’ phone data without consent, leaving phones vulnerable to hackers, according to a new study.
“This is the first time we’ve found real-world evidence that apps are colluding with one another,” Gang Wang, an assistant professor at Virginia Tech, told The Hill. “Apps are talking to each other to get information when they don’t have permission to do so.”
As mobile phones become omnipresent, researchers at Virginia Tech sought to discover to what extent trusted apps on Android phones are able to talk to one another and trade information, and the subsequent implications. (Wang clarified that they already knew apps communicated with each other).
“What this study shows undeniably with real-world evidence over and over again is that app behavior, whether it is intentional or not, can pose a security breach depending on the kinds of apps you have on your phone,” Wang said on the official Virginia Tech press release.
Essentially, Wang is alluding to the fact that cybercriminals install thousands of malicious apps in third-party stores for Android. (RELATED: Hackers Are Gunning For Your Personal Data By Tricking You)
If malware-infested apps collude with unsuspecting authentic apps, then cybercriminals can then be granted access to data from other apps directly on the phone system, like Gmail, Google Play, Google Photos, Google Docs, Google Drive, and several others. Such a method is exactly how hackers were able to breach more than 1 million Google Android accounts, in what Forbes considers the largest theft of Google data in history.
“Of the apps we studied, we found thousands of pairs of apps that could potentially leak sensitive phone or personal information and allow unauthorized apps to gain access to privileged data,” said Daphne Yao, associate professor at Virginia Tech.
The team of researchers studied 110,150 apps over three years, and found that the the biggest security risks were usually from apps like personalizations of ringtones, widgets, and emoticons. (RELATED: There Are At Least 170 Million Internet-Connected Devices Susceptible To Hacking In The U.S.)
“App security is a little like the Wild West right now with few regulations. We hope this paper will be a source for the industry to consider re-examining their software development practices and incorporate safeguards on the front end,” Wang concluded in the press release. “While we can’t quantify what the intention is for app developers in the non-malware cases we can at least raise awareness of this security problem with mobile apps for consumers who previosuly (sic) may not have thought much about what they were downloading onto their phones.”