Categories: Security

Android Apps Are Conspiring to Steal Your Data

Apps on the average Android device have access to mountains of personal information. Thanks to broad and oftentimes unnecessary permission settings, these apps know users’ exact location, email information, passwords, credit cards numbers and expiration dates, health status, browsing habits, and more; the list goes on. What’s even worse is that apps are now sharing this wealth of information with each other, filling in information gaps to provide app developers with an unsettling amount of private data.

According to a recent study undertaken by security researchers at Virginia Tech, apps have been trading information, some with an intention to mine private user data. Using a software tool named DIALDroid, which was custom-built for the study, researchers were able to uncover more than 23,000 such colluding pairs. In particular, researchers pinpointed a relatively small number of sender apps involved in a vast majority of the uncovered, colluding pairs.

Read More: Using a OnePlus? Be Aware of These Security Vulnerabilities

The Culprits
The worst offenders were often those apps that appeared entirely innocent on the surface. The apps most likely to engage in this collusion practice were ones that provided users with wallpapers, ringtones, new emojis, and even flashlight services. In one instance, a torch app leaked the geolocation and contact data of users. In another instance, an app designed to provide Muslim users with prayer times made location data available to other apps within the same device.

The Good News and the Bad News
According to Daphne Yao, a member of the security research team, the actual rate of collusion between these compromising apps is generally quite low. On the other hand, Yao notes that now that the security flaw has been exposed, it is more likely to be taken advantage of by hackers. Developers of malicious apps who have been made aware of the breach might be inclined to exploit this flaw. In addition, while the rate of collusion was low, the recorded information-sharing instances displayed a reckless attitude towards private data.

Regardless of whether app sharing is intentional by individual apps, this type of security flaw still poses a danger for serious security breaches. Malicious apps looking to take advantage of this opening have the potential to collude with unsuspecting, authentic apps. In fact, a malware attack targeting Google accounts in 2016 did just that. By accessing login information through malicious apps’ collusion with Google apps, hackers were able to breach more than one million accounts across Asia and the Americas. If you’ve never paid much attention to the permissions that you give certain apps, it’s time to start paying attention.

PSafe Newsroom

The dfndr blog is an informative channel that presents exclusive content on security and privacy in the mobile and business world, with tips to keep users protected. Populated by a select group of expert reporters, the channel has a partnership with dfndr lab's security team. Together they bring you, first-notice news about attacks, scams, internet vulnerabilities, malware and everything affecting cybersecurity.

Recent Posts

Vulnerabilities in Cyber Security: what they are and how to fix them?

Learn all about one of the hackers' favorite breach method and keep your company safe…

1 year ago

3 ways to recover deleted photos on Android

Have you ever wondered how to recover deleted photos on Android? After all, the lack…

1 year ago

What is worm?

Digital worms are among the most serious threats in the wild kingdom of the Internet.

2 years ago

Spoofing: What’s it all about?

Spoofing is a fairly sophisticated virtual scam that can fool even the most cautious and…

2 years ago

Careful With That QR Code! Five Steps For QR Code Safety

Five Steps to Reduce QR Code Risk! Step one? Read this article…

2 years ago

Pharming: Phishing’s Nasty Big Brother

Pharming is creating a new, dangerous brand of impostor syndrome. Check how to avoid pharming…

2 years ago