This Android security bug let malicious apps siphon off private user data

A security vulnerability was discovered in Android that could have allowed malicious apps to siphon off sensitive data from other apps on the device.

App security startup Oversecured found the vulnerability in Google's widely used Play Core library. Play Core lats developers push in-app updates and new feature modules to the Android apps like language packs or game levels, reports TechCrunch.

Any malicious app on an Android device could have exploited this bug to inject malicious modules into other apps that rely on Google's Play core. This would have helped the malicious apps steal private information like passwords, credit card numbers etc from the apps.

Founder of Oversecured Serget Toshin told TechCrunch that exploiting this Android bug was “pretty easy”.

Oversecured built a proof-of-concept app using a few lines of code and tested the vulnerability on Google Chrome for Android which relied on a vulnerable version of the Play Core library. Toshin told TechCrunch that the proof-of-concept app was able to steal a victim's browsing history, passwords and login cookies.

Toshin added that the bug also affected some of the most popular apps on the Android app store.

Google has confirmed this bug has now been fixed. The bug was rated it 8.8 out of 10.0 for severity. A Google spokesperson said that appreciate that the researcher reporting this issue to them and the vulnerability was fixed in March this year.

To make sure your apps are free from this issue, all users need to update their apps with the latest Play Core library.