Major security flaw discovered in Android

Chris Smith

April 16, 2014 at 10:36 AM

This man wants to be Google’s new worst nightmare

Security firm FireEye has discovered a major security flaw in Google’s mobile operating system, ComputerWorld reports, which could allow an attacker to modify the behavior of an app icon in the launcher in order to send users to a malicious site that would collect personal data. It’s not clear whether any apps in the Google Play Store, or anywhere else, have already used this particular security issue to steal data from users. Google has apparently acknowledged the problem and already released a patch to OEM partners, though it will be a while until the fix hits affected Android devices.

“Many Android vendors were slow to adapt security upgrades. We urge these vendors to patch vulnerabilities more quickly to protect their users,” the company wrote.

For the purpose of demonstrating the flaw, FireEye published its Android app in the Play Store, proving that Google’s filters won’t prevent such phishing apps from being brought to the app store. Once installed on a device, the application would then be able to covertly take over the icon of certain apps – such as mobile banking applications – and send users to malicious websites that would then trick them into entering their personal details.

The app apparently uses “normal” app permissions, with FireEye having demoed its proof-of-concept attack on a Nexus 7 running Android 4.4.2. The company also said that apps with this phishing feature could work on many other devices, including smartphones and tablets that don’t use the “Launcher” functionality in AOSP – the company tested a Galaxy S4 running Android 4.3, a HTC One on Android 4.4.2 and a Nexus 7 running CyanogenMod 11, coming up with the same results.

Recently, Google issued an update to ‘Verify apps’ security feature to better monitor app behavior on a smartphone. Before that, it was discovered that legit Google Play Store apps were able to covertly turn millions of devices in miners for digital currency.

This article was originally published on BGR.com

News

Life

Entertainment

Finance

Sports

New on Yahoo

Major security flaw discovered in Android

Recommended Stories

Former NBA guard Darius Morris dies at 33

The FDIC change that leaves wealthy bank depositors with less protection

Timberwolves coach Chris Finch calls Jamal Murray's heat-pack toss on court 'inexcusable and dangerous'

Former House Speaker Paul Ryan says he’s not voting for Trump : 'Character is too important'

Cardinals lose C Willson Contreras after left arm fractured by J.D. Martinez's swing

Post-draft NFL fantasy power rankings: Offenses we love, like and want to stay away from

Ranking the best situations for the rookie quarterbacks: Start with Michael Penix in Atlanta at No. 1

These 3 stocks are poised to benefit from the massive energy transition

Phil Mickelson on the majors: 'What if none of the LIV players played?'

Blockbuster May trade by Padres, MVP Ohtani has arrived, Willie Mays’ 93rd birthday & weekend recap

NBA playoffs: Officials admit they flubbed critical kick-ball call in controversial final minute of Pacers-Knicks

2024 NFL Team Fantasy Football Power Rankings, 1.0

Social Security just passed Medicare as the government's most pressing insolvency risk

Fantasy Baseball Trade Analyzer: Buy into a pair of Astros sluggers

No one was airing Angel Reese and Kamilla Cardoso's WNBA preseason debuts, so an X user livestreamed it

The Scorecard: Andy Pages looks set to go down as one of the best fantasy baseball waiver wire pickups of 2024

The best budgeting apps for 2024

Ex-Ole Miss QB and Denver Broncos draft pick Chad Kelly suspended at least nine games by CFL

Fed’s Kashkari: Rates will stay high for 'extended period' and can't rule out a hike

Anthony Edwards' arrival should have the Nuggets — and the entire league — on high alert