Until recently, Google’s namesake Android app, which more than five billion installs to date, had a vulnerability that could have allowed an attacker to quietly steal personal data from a victim’s device.
Sergey Toshin, founder of mobile app security startup Oversecured, said in a blog post that the vulnerability has to do with how the Google app relies on code that is not bundled with the app itself. Many Android apps, including the Google app, reduce their download size and the storage space needed to run by relying on code libraries that are already installed on Android phones.
But the flaw in the Google app’s code meant it could be tricked into pulling a code library from a malicious app on the same device instead of the legitimate code library, allowing the malicious app to inherit the Google app’s permissions and granting it near-complete access to a user’s data. That access includes access to a user’s Google accounts, search history, email, text messages, contacts and call history, as well as being able to trigger the microphone and camera, and access the user’s location.
The malicious app would have to be launched once for the attack to work, Toshin said, but that the attack happens without the victim’s knowledge or consent. Deleting the malicious app would not remove the malicious components from the Google app, he said.
A Google spokesperson told TechCrunch that the company fixed the vulnerability last month and it had no evidence that the flaw has been exploited by attackers. Android’s in-built malware scanner, Google Play Protect, is meant to stop malicious apps from installing. But no security feature is perfect, and malicious apps have slipped through its net before.
Toshin said the Google app vulnerability is similar to another bug discovered by the startup in TikTok earlier this year, which if exploited could have allowed an attacker to steal a TikTok user’s session tokens to take control of their account.