The Check Point Research team has recently discovered that in the last few months, mobile app developers potentially exposed the private data of over 100 million Android users, by not following best security practices when integrating third-party cloud services into their applications.

The Check Point researchers analyzed 23 Android apps, including a screen recorder, a fax service, a logo maker, a taxi app, and an astrology app, and discovered that the developers exposed both their own and users’ data as a result of misconfigurations in third-party cloud services.

While investigating the content on the publicly available database, we were able to recover a lot of sensitive information including email addresses, passwords, private chats, device location, user identifiers, and more. If a malicious actor gains access these data it could potentially result in service-swipes (ie. trying to use the same username-password combination on other services), fraud, and identity theft.

Source

In 13 of the 23 apps, sensitive details were publicly available in unsecured cloud setups.

The sensitive data included chat messages, emails, location details, gender, date of birth, phone numbers, passwords, photos, and payment details. Threat actors could easily use this information to carry out fraud, identity theft, and service swipes.

Some of those apps, including Astro Guru, Logo Maker, and Screen Recorder, were found in the Google Play store and had more than 10 million downloads. Screen Recorder exposed cloud storage keys, giving access to users’ screenshots from the device.

Astro Guru app heimdal

Screen Recorder app heimdal

Images Source: Check Point Research

Other apps exposed data related to their developers, such as credentials for the app’s push notification service. Cybercriminals can exploit push services to send fake alerts to app users.

While the data of the push notification service is not always sensitive, the ability to send notifications on behalf of the developer is more than enough to lure malicious actors. Imagine if a news-outlet application pushed a fake news entry notification to its users that directed them to a phishing page requesting that they renew their subscription. Since the notification originated from the official app, the users will not suspect a thing, as they are sure that this notification was sent by the developers.

Source

iFax, another Android app, exposed cloud storage keys, enabling access to a database containing fax transmissions and other documents from over 500,000 users.

The researchers were able to access all messages sent in the taxi service app T’Leva between customers and drivers, and also names, phone numbers, and other details, by sending one simple request to the database.

T Leva app heimdal

Image Source: Check Point Research

This misconfiguration of real-time databases is not new, but to our surprise, the scope of the issue is still far too broad and affects millions of users. All our researchers had to do was attempt to access the data. There was nothing in place to stop the unauthorized access from being processed.

Source

Although misusing real-time databases, notification managers, and storage is not uncommon, it is concerning that such popular apps don’t apply basic security practices to protect their users and data.

featured photo for heimdal news
2021.05.13 QUICK READ

Fake Android and iOS Malicious Apps Might Be Stealing Your Money

featured photo for heimdal news
2021.03.29 QUICK READ

New Powerful Android Malware Disguised as System Update is Attacking Android Phones

weekly-security-roundup
2015.09.04 QUICK READ

Weekly Security Roundup #45: Are You Putting Yourself at Risk With the Apps You Use?

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP