A security bug in Google’s Android app put users’ data at risk
Until recently, Google’s namesake Android app, which has more than five billion installs to date, had a vulnerability that could have allowed an attacker to quietly steal personal data from a victim’s device.
Sergey Toshin, founder of mobile app security startup Oversecured, said in a blog post that the vulnerability has to do with how the Google app relies on code that is not bundled with the app itself. Many Android apps, including the Google app, reduce their download size and the storage space needed to run by relying on code libraries that are already installed on Android phones.
But the flaw in the Google app’s code meant it could be tricked into pulling a code library from a malicious app on the same device instead of the legitimate code library, allowing the malicious app to inherit the Google app’s permissions and granting it near-complete access to a user’s data. That access includes access to a user’s Google accounts, search history, email, text messages, contacts and call history, as well as being able to trigger the microphone and camera, and access the user’s location.
The malicious app would have to be launched once for the attack to work, Toshin said, but that the attack happens without the victim’s knowledge or consent. Deleting the malicious app would not remove the malicious components from the Google app, he said.
