Security firm CheckPoint in their latest report revealed that more than 23 malicious Android apps carried a variety of cloud misconfigurations. These misconfigurations are due to the data exposure of more than 100 million users.
The company confirmed that the issue originates from misconfiguring the:
- Cloud storage keys
- Push notifications
- Chat messages
- Phone numbers
- Browsing history
- Real-time database
Besides this, the researchers also found that the app developers have embedded keys needed to send the push notifications and access the cloud storage services into the apps. This favors the threat actors as they can send a rogue or bogus notification to all users and pretends to the developer. Moreover, they can target the victims by launching a phishing attack and getting an entry point for committing more sophisticated attacks.
The Android apps that were examined in the report include; logo maker, screen recorder, fax service, taxi app, and astrology software. These apps receive 10,000 to 100 million downloads. All these apps leaked chat messages, email records, images, IDs, passwords, and location details.
The most alarming thing is that some users’ data are publicly available in the unsecured cloud setup. The misconfiguration issues with the malicious Android apps that it is a comprehensive issue and can be exploited for malicious purposes.
According to the researchers, these security flaws are because the developers are failing to implement the best practices when configuring and integrating the third-party cloud services into their applications.
The report also highlighted that only a few apps altered their configuration in response to the exposure. This leaves the users to remain vulnerable to potential threats such as identity theft and password theft.
Previously, the researchers published an advisory on Qualcomm MMS data service that can be used to transfer malicious code into Android handset modems.
Now, it is high time for the Android developers to look into this matter seriously and adopt every possible way to protect user online privacy.