Thousands of popular Android phone apps could be exposing sensitive user information by “colluding” with other apps that have – or haven’t – received permission to access data, according to a study presented Monday by Virginia Tech researchers.
The large-scale analysis highlights how seemingly harmless apps can pose widespread security risks that leave unassuming users vulnerable to cyberattacks.
“Researchers were aware that apps may talk to one another in some way, shape or form,” said co-author Gang Wang. “What this study shows undeniably with real-world evidence over and over again is that app behavior, whether it is intentional or not, can pose a security breach depending on the kinds of apps you have on your phone.”
The team separated the threats into two major categories: a malware app that is designed to launch a cyberattack, or apps that share information without the owner’s permission and then leak it to the internet. They could not determine the intention of the developers of the apps grouped in the latter category.
“Of the apps we studied, we found thousands of pairs of apps that could potentially leak sensitive phone or personal information and allow unauthorized apps to gain access to privileged data,” said co-author Daphne Yao.
More than 110,000 Android apps were reviewed over a three-year period. The team identified 16,000 pairs of apps that could potentially “collude,” which can occur when a sender app – such as the commonly used flashlight app – works with a receiver app to reveal a user’s information.
Ringtone and emoji apps presented some of the biggest security risks, according to the study.
“While we can’t quantify what the intention is for app developers in the non-malware cases, we can at least raise awareness of this security problem with mobile apps for consumers who previously may not have thought too much about what they were downloading onto their phones,” Wang said.
“App security is a little like the Wild West right now with few regulations. We hope this paper will be a source for the industry to consider re-examining their software development practices and incorporate safeguards on the front end.”