A group of researchers at the University of Michigan has discovered that hundreds of applications in Google Play, whose function is to turn Android phones into a server that allows the user to connect their phone directly to their home PC, leave open insecure ports available on the smartphone. This vulnerability provides attackers the means to hack into the smartphone and steal data, including contacts, text messages, and photos, or even install malware.
The researchers scanned 100,000 popular apps in the Google Play app store to determine if any of them allowed the user to connect directly to their PC to send text messages, transfer files or use the phone to connect to the Internet. They found that 1,632 apps allowed the connections. Of the 1,632 apps, 410 of those had zero or weak protection and allows access to open ports. Of that subset, the researchers manually analyzed 57 of those apps and confirmed that the apps left ports open and exploitable by any hacker on the same local Wi-Fi network, another app on the same device (even one with restricted privileges), or a script that runs in the victim’s browser when they merely visit a website.
It is important to note that neither Google nor the user can fix the flaw — it is up to the app developers. The only thing you can do is to uninstall the vulnerable app. When the researchers alerted four different app developers of the flaw, only one developer responded to the inquiry and indicated that they patched it.
No matter what kind of smartphone you own, be cautious when downloading apps, including reading the app’s Privacy Policy and Terms of Use and keep up-to-date on vulnerabilities of apps that you have on your phone. Although convenient, not all apps need to be downloaded.
Check out our series, Privacy Perils, to learn what steps you can take to guard your personal and company data. For more information about this topic and other cyber security concerns, please contact a member of our Privacy & Data Security team.