Google’s namesake Android app, which has more than five billion installs to date, had a vulnerability that could have allowed an attacker to steal personal data from a victim’s device.
The vulnerability is related to how the Google app relies on code that is not included with the app itself, said Sergei Tushin, founder of mobile app security company Oversecured.
Many Android apps, including the Google app, reduce the download size and storage space needed to run by relying on code libraries installed across Android phones.
A flaw in the Google app’s code means that it may be tricked into pulling a code library from a malicious app on the same device instead of from a legitimate code library.
This allows the malicious app to inherit the permissions of the Google app and give it near-total access to user data.
This includes access to a user’s Google accounts, search history, email, text messages, contacts, and call history, as well as the ability to turn on the microphone and camera and access the user’s location.
The malicious application must be run once for the attack to succeed, Tushin said. But the attack occurs without the victim’s knowledge or consent. Deleting the malicious application will not remove the malicious components of the Google application.
Android app repair:
Google said it fixed the vulnerability last month. It had no evidence that the flaw had been exploited by the attackers.
The malware scanning tool included with Google Play Protect aims to prevent the installation of malicious apps. But no security feature is perfect, and malicious apps have infiltrated its network before.
Toshin said the vulnerability in the Google app is similar to another flaw the company discovered in the TikTok app earlier this year, which, if exploited, could have allowed an attacker to steal the tokens of a TikTok user session to gain control of their accounts.
Oversecured has discovered several other similar vulnerabilities, including the Google Play app from Android. It has also recently discovered vulnerabilities in previously installed apps on Samsung phones.