Security researchers have discovered serious vulnerabilities in nearly 2,000 Android apps that allow attackers to access and manipulate data on an affected device.
A vulnerability in the MediaService class in 2,186 Android apps can lead to a remote attacker controlling an affected device and view sensitive data such as call logs, messages, photos, audio files, and contact lists. Check Point Software Technologies warned on Tuesday.
By abusing the vulnerabilities, hackers can intercept messages. And calls and delete data such as call logs, messages, and the device’s cache. A more severe vulnerability can allow attackers to gain full access to an Android device.
Viber and WhatsApp apps
Check Point also said it uncovered severe vulnerabilities in the popular Viber and WhatsApp tracking apps that would allow attackers to intercept calls and hijack user accounts. It uncovered over one hundred additional issues affecting other apps as well.
In total, Check Point found and reported the vulnerabilities to the app developers behind 2,231 vulnerable apps. 2,057 in the official Play Store and 68 that were found outside of the store. Of the total, 1,908 were found in the last month.
All of the vulnerable apps are from 2014 or earlier. And at least four of them remain in the official Play Store today. A handful of the apps were from large companies with significant followings, including the official Facebook app, WhatsApp Messenger and Yahoo Messenger.
Only a small fraction of these apps have been updated to close the security holes, according to Check Point. And many are no longer available in the Play Store.
While Check Point didn’t mention any companies by name, it did publish a list of the companies and organizations it contacted. The organizations included Alphabet, Microsoft, Sony, Samsung, Huawei, HTC, LG, TCL, MediaTek and UCWeb.
“It is unacceptable that so many of these widely used apps have such glaring security flaws,” said Oded Vanunu, head of products vulnerability research at Check Point.
Might be you want to check the Android app development company in Hyderabad.
Microsoft reviews
Microsoft said it was preparing a security update to address the vulnerability soon. WhatsApp said it was looking into the matter. Neither Viber nor the Google Play Store immediately responded to a request for comment.
The vulnerabilities were found by applying the Security Benchmarks for the Android platform developed by Check Point to all 2,186 vulnerable apps.
This is just the latest finding indicating that Android devices are vulnerable to attack. Google recently discovered a flaw in the way the Android Go operating system handles files that could let attackers bypass restrictions and access data.
Several other Android issues have been made public in the past few months.
A team of researchers found a bug last month. That could let an attacker wipe data stored on an Android device. They also discovered a bug that would let hackers remotely execute malicious code on affected devices. Researchers from the University of California, Berkeley, found in February that the Android operating system doesn’t enforce password rules for third-party apps and could make those apps vulnerable to remote attacks.
Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs, and senior IT managers.