Monday, January 13, 2025
HomeAndroidMore than 1,300 Android Apps Steals user Data Even After the Permission...

More than 1,300 Android Apps Steals user Data Even After the Permission Denied

Published on

Smartphone plays a vital role in day-to-day activities, it has access to sensitive resources such as sensors, camera, Microphones, and GPS. For an end-user, it is crucial to protect the phone from unauthorized access.

The Android phones are the most-popular and most-used phone operating system, starting from Android 6.0 users grant and revoke app permissions at run time for third party applications.

Security researchers from IMDEA Networks Institute, U.C. Berkeley & ICSI AppCensus, Inc discovered that apps can evade the permission model and gain access to the sensitive data without user consent.

The apps can gain access to the sensitive area through both covert and side channels, more than 88,000 apps from U.S. Google play, out of the 1,325 apps found violating the permission systems.

According to the report, side channels present in the implementation of the permission system allow apps to access protected data and system resources without permission; whereas covert channels enable communication between two colluding apps so that one app can share its permission protected data with another app lacking those permissions. Both pose threats to user privacy.

The Attacks are grouped into five different types of covert and side-channel attack to extract the sensitive data from the device.

IMEI (Salmonads & Baidu)

Five apps that developed in third party developers platform Salmonads platform found to contain IMEI, even though they don’t have permission to access it.

Further analysis revealed that the application contains Salmonads SDK that exploits covert channels to read this information. The largest Chinese search engine Baidu uses the same SDK.

Network MAC Addresses

Android protects access to the device’s MAC address by default, researchers observed that apps transmitting the device’s MAC address without having permission to access it.

The Unity cross-platform game engine used in several Android mobile games spotted sending the MD5 hash of the MAC to Unity’s servers.

Router MAC Address

Access to the WiFi router MAC address (BSSID) is protected by the ACCESS_WIFI_STATE permission. Our analysis revealed two side channels to access the connected WiFi router information: reading the ARP cache and asking the router directly.

Geolocation

More than 70 apps sending location data to 45 different domains without having any of the location permissions.

For instance, Shutterfy and EXIF Metadata send precise geolocation including the latitude and longitude to its server, even though the permission was not provided.

“While this app may not be intending to circumvent the permission system, this technique can be exploited by a malicious actor to gain access to the user’s location.”

The bugs have been reported by researchers to Google the last September and they got bug bounty disclosing the issues and the fixes will be available with the release of Android Q.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.

Also Read:

Chinese Video App VidMate Stealing Personal Data, Drain Battery, Fake Ad Click to Generate Revenue From 500 Million Android Users

4 Million Android Users Infected by Malicious Beauty Camera App From Google Play that Steals Personal Pictures

GPlayed – New Malware Posed as Google Play App to Spy & Steal Data From Your Entire Android Phone

Newly Discovered Android Malware Stealing Data from Messaging Applications WhatsApp, Viber, Facebook

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Critical macOS Vulnerability Lets Hackers to Bypass Apple’s System Integrity Protection

Microsoft Threat Intelligence has uncovered a critical macOS vulnerability that allowed attackers to bypass...

CISA Released A Free Guide to Enhance OT Product Security

To address rising cyber threats targeting critical infrastructure, the U.S. Cybersecurity and Infrastructure Security...

Microsoft Warns of MFA Issue Affecting Microsoft 365 users

Microsoft has issued a warning regarding an ongoing issue with Multi-Factor Authentication (MFA) that...

RedCurl APT Deploys Malware via Windows Scheduled Tasks Exploitation

Researchers identified RedCurl APT group activity in Canada in late 2024, where the attackers...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

New FireScam Android Malware Abusing Firebase Services To Evade Detection

FireScam is multi-stage malware disguised as a fake “Telegram Premium” app that steals data...

Android Security Updates: Patch for Critical RCE Vulnerabilities

The January 2025 Android Security Bulletin has issued important updates regarding critical vulnerabilities that...

Stealthy Steganography Backdoor Attacks Target Android Apps

BARWM, a novel backdoor attack approach for real-world deep learning (DL) models deployed on...