Android applications are constantly acquiring user data without the users knowing about this process. According to a recent study a large part part of software installed on devices running Google’s operating system can harvest sensitive data without notifying or asking explicitly the users.
Sensitive User Data Harvested By Android Apps, Many Users are Unaware
A recently published paper by a team of researchers shows that there are a lot of ways that Android apps can use to bypass Android’s permissions system and harvest data without explicit rights to do so. The paper is titled 50 Ways to Leak Your Data: An Exploration of Apps’ Circumvention of the Android Permissions System and is written by a team of security experts who have studied the matter. It appears that various software have discovered ways that this can be bypassed. This appears to done using two particular threats:
- Covert Channel — This is a communicative path between two applications in order for data transfer to take place. The exact mechanism is when the applications reads certain information by interacting with other applications.
- Side Channel — This is the other technique which makes applications to obtain privileged data without performing a proper permissions check.
In order to come up with this information the researchers have performed both static and dynamic analysis of apps obtained from the Google Play repository. The exact method is to devise an automatic scraper that retrieves both the APK and the associated metadata. Some of the personal data that can be hijacked includes the following:
- IMEI — This is done by accessing the phone state and reading the IMEI of the mobile device.
- Device MAC Address — By accessing the network state the device’s MAC address can be acquired.
- User Email Address — The email address of the victim users can be acquired by reading the account data of the Google device that it is installed on.
- Phone Number — The phone number of the installed device is acquired from the phone state.
- SIM ID — The phone number of the installed device is acquired from the phone state.
- Router MAC Address — By accessing the Wi-Fi state information about the MAC address of the network’s router can be read.
- Router SSID — By accessing the Wi-Fi state information about the SSID of the network’s router can be read.
- GPS Location — By reading the “fine location” values the GPS coordinates of the mobile device can be acquired.
More than 1325 Android apps are known to harvest data using these techniques. Depending on way they are programmed this number may rise. The study merely represents a small sample of what is available on Google Play. What’s more dangerous is the fact that a large number of malware applications are also found on other places, including download portals and sites.
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me: