Advertisement
UK markets closed
  • FTSE 100

    7,952.62
    +20.64 (+0.26%)
     
  • FTSE 250

    19,884.73
    +74.07 (+0.37%)
     
  • AIM

    743.26
    +1.15 (+0.15%)
     
  • GBP/EUR

    1.1705
    +0.0011 (+0.10%)
     
  • GBP/USD

    1.2619
    -0.0003 (-0.03%)
     
  • Bitcoin GBP

    55,264.82
    -690.70 (-1.23%)
     
  • CMC Crypto 200

    885.54
    0.00 (0.00%)
     
  • S&P 500

    5,254.35
    +5.86 (+0.11%)
     
  • DOW

    39,807.37
    +47.29 (+0.12%)
     
  • CRUDE OIL

    83.11
    -0.06 (-0.07%)
     
  • GOLD FUTURES

    2,254.80
    +16.40 (+0.73%)
     
  • NIKKEI 225

    40,369.44
    +201.37 (+0.50%)
     
  • HANG SENG

    16,541.42
    +148.58 (+0.91%)
     
  • DAX

    18,492.49
    +15.40 (+0.08%)
     
  • CAC 40

    8,205.81
    +1.00 (+0.01%)
     

Android security bug let malicious apps siphon off private user data

A security vulnerability in Android could have allowed malicious apps to siphon off sensitive data from other apps on the same device.

App security startup Oversecured found the flaw in Google's widely used Play Core library, which lets developers push in-app updates and new feature modules to their Android apps, like language packs or game levels.

A malicious app on the same Android device could exploit the vulnerability by injecting malicious modules into other apps that rely on the library to steal private information, like passwords and credit card numbers, from inside the app.

Sergey Toshin, founder of Oversecured, told TechCrunch that exploiting the bug was "pretty easy."

ADVERTISEMENT

The startup built a proof-of-concept app using a few lines of code and tested the vulnerability on Google Chrome for Android, which relied on a vulnerable version of the Play Core library. Toshin said the proof-of-concept app was able to steal a victim's browsing history, passwords and login cookies.

But Toshin said the bug also affected some of the most popular apps in the Android app store.

Google confirmed the bug, rated 8.8 out of 10.0 for severity, is now fixed. "We appreciate the researcher reporting this issue to us, and as a result it was patched in March," said a Google spokesperson.

Toshin said app developers should update their apps with the latest Play Core library to remove the threat.