Thanks to a series of newly disclosed vulnerabilities, hackers could exploit even the most innocent-looking Android apps and take them over. Attackers could then siphon information off of the compromised app, using it without the user's consent, or even replace legitimate apps with fake ones designed to steal information, as security researchers at IBM revealed on Monday.
Exploiting one of these vulnerabilities, hackers could give a malicious app that normally wouldn't have the ability to perform certain actions "the ability to become a super app" and "own the device," as IBM researchers Or Peles and Roee Hay wrote in a blog post.
Hackers could give a malicious app "the ability to become a super app" and "own the device."
Essentially, when a user installs a seemingly harmless app from the Google Play store, the app downloads more code and uses the vulnerability, giving the app more permissions and functions than it originally had. This bug was found in a component of Android's platform known as OpenSSLX509Certificate, according to IBM.
The researchers contacted Google in late May and the company issued patches for the bugs three days later, according to the researchers. However, given Android's faulty update ecosystem, IBM recommends users make sure they have the latest version of Android, since the patch issued by Google needs to be pushed out by manufacturers and carriers too.
The researchers created a video showing how they were able to take advantage of the bug using a malicious app, and replace the real Facebook app with a fake one.
The researchers also found other vulnerabilities in a series of third-party Android Software Development Kits (or SDKs, a set of tools that can be used to develop apps). These bugs allow hackers to remotely execute code from apps that use these SDKs.
A Google spokesperson said that applications that use the SecurityProvider within Google Play services have had the fix since June. For other applications, the fix is currently rolling out to Nexus users and we have also reported it to our partners."
These newly-found bugs come on the heels of the now infamous Stagefright bugs, which allow hackers to take control of an Android phone with a simple malicious MMS message. When it was announced, researchers estimated that Stagefright affected 950 million Android devices.
The bugs revealed by IBM's security researchers are less widespread, although they affected 55 percent of Android devices when they were discovered, according to the researchers, who wrote a white paper and will present their findings at the USENIX conference on Monday.
This story has been updated to include the comments from Google's spokesperson.