A group of security researchers from the University of Michigan ( Yunhan Jack Jia, Qi Alfred Chen, Yikai Lin, Chao Kong, and Prof. Z. Morley Mao) discovered a security hole in hundreds of applications in Google Play Store that could be exploited by hackers to steal data from and even deliver malicious code on millions of Android devices.
The issue affects all the applications that open ports and don’t properly manage them due to insecure coding practices of the development teams. Usually, mobile applications open ports to allow the communications with other entities, for example, to exchange data with a web service, clearly these ports are a potential entry point for hackers in presence of a vulnerability like authentication flaws, buffer overflow vulnerabilities, or a remote code execution issues.
The researchers devised a tool called OPAnalyzer that was used to scan more than 100,000 Android applications and discovered 410 potentially vulnerable applications. The potential impact of the issue is severe because the applications have been downloaded between 10 and 50 Million times and at least one mobile app comes pre-installed on Android smartphones.
“From the identified vulnerable usage, we discover 410 vulnerable applications with 956 potential exploits in total. We manually confirmed the vulnerabilities for 57 applications, including popular ones with 10 to 50 million downloads on the official market, and also an app that is pre-installed on some device models.” reads the research paper (“Open Doors for Bob and Mallory: Open Port Usage in Android Apps and Security Implications“) published by the experts “These vulnerabilities can be exploited to cause highly-severe damage such as remotely stealing contacts, photos, and even security credentials, and also performing sensitive actions such as malware installation and malicious code execution.”