Home > Cyber News > Android Apps Can Harvest Your Data Even If You Have Denied Permissions

Android Apps Can Harvest Your Data Even If You Have Denied Permissions

Android applications are constantly acquiring user data without the users knowing about this process. According to a recent study a large part part of software installed on devices running Google’s operating system can harvest sensitive data without notifying or asking explicitly the users.

Sensitive User Data Harvested By Android Apps, Many Users are Unaware

A recently published paper by a team of researchers shows that there are a lot of ways that Android apps can use to bypass Android’s permissions system and harvest data without explicit rights to do so. The paper is titled 50 Ways to Leak Your Data: An Exploration of Apps’ Circumvention of the Android Permissions System and is written by a team of security experts who have studied the matter. It appears that various software have discovered ways that this can be bypassed. This appears to done using two particular threats:

  • Covert Channel — This is a communicative path between two applications in order for data transfer to take place. The exact mechanism is when the applications reads certain information by interacting with other applications.
  • Side Channel — This is the other technique which makes applications to obtain privileged data without performing a proper permissions check.
Related: [wplinkpreview url=”https://sensorstechforum.com/geost-android-botnet/”]Geost Android Botnet Amasses 800,000 Hosts in Russia

In order to come up with this information the researchers have performed both static and dynamic analysis of apps obtained from the Google Play repository. The exact method is to devise an automatic scraper that retrieves both the APK and the associated metadata. Some of the personal data that can be hijacked includes the following:

  • IMEI — This is done by accessing the phone state and reading the IMEI of the mobile device.
  • Device MAC Address — By accessing the network state the device’s MAC address can be acquired.
  • User Email Address — The email address of the victim users can be acquired by reading the account data of the Google device that it is installed on.
  • Phone Number — The phone number of the installed device is acquired from the phone state.
  • SIM ID — The phone number of the installed device is acquired from the phone state.
  • Router MAC Address — By accessing the Wi-Fi state information about the MAC address of the network’s router can be read.
  • Router SSID — By accessing the Wi-Fi state information about the SSID of the network’s router can be read.
  • GPS Location — By reading the “fine location” values the GPS coordinates of the mobile device can be acquired.

More than 1325 Android apps are known to harvest data using these techniques. Depending on way they are programmed this number may rise. The study merely represents a small sample of what is available on Google Play. What’s more dangerous is the fact that a large number of malware applications are also found on other places, including download portals and sites.

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share