A team of researchers from the University of Michigan discovered that hundreds of applications in Google Play Store have a security hole that could potentially allow hackers to steal data from and even implant malware on millions of Android smartphones.
The University of Michigan team says that the actual issue lies within apps that create open ports — a known problem with computers — on smartphones.
So, this issue has nothing to do with your device’s operating system or the handset; instead, the origin of this so-called backdoor is due to insecure coding practices by various app developers.
The team used its custom tool to scan over 100,000 Android applications and found 410 potentially vulnerable applications — many of which have been downloaded between 10 and 50 Million times and at least one app comes pre-installed on Android smartphones.
Here I need you to stop and first let’s understand exactly what ports do and what are the related threats.
Ports can be either physical or electronic in nature. Physical ports are connection points on your smartphones and computers, such as a USB port used to transfer data between devices.
Electronic ports are those invisible doors that an application or a service use to communicate with other devices or services. For example, File Transfer Protocol (FTP) service by default opens port 21 to transfer files, and you need port 80 opened in order to connect to the Internet.
In other words, every application installed on a device opens an unused port (1-to-65535), can be referred as a virtual door, to communicate for the exchange of data between devices, be it a smartphone, server, personal computer, or an Internet-connected smart appliance.
Over the years, more and more applications in the market function over the Internet or network, but at the same time, these applications and ports opened by them can be a weak link in your system, which could allow a hacker to breach or take control of your device without your knowledge.
This is exactly what the University of Michigan team has detailed in its research paper [PDF] titled, “Open Doors for Bob and Mallory: Open Port Usage in Android Apps and Security Implications.”
According to the researchers, the major issue is with the apps like WiFi File Transfer, which has been installed between 10 million and 50 million times and allows users to connect to a port on their smartphone via Wi-Fi, making it easy to transfer files from a phone to a computer.
But due to insufficient security, this ability of the apps is apparently not limited to merely the smartphone’s owner, but also malicious actors.
However, applications like WiFi File Transfer pose fewer threats, as they are designed to work over a local network only, that requires attackers to be connected to the same network as yours.
On the other hand, this issue is extremely dangerous in the scenarios where you connect to a public Wi-Fi network or corporate network more often.
To get an initial estimate on the impact of these vulnerabilities, the team performed a port scanning in its campus network, and within 2 minutes it found a number of mobile devices potentially using these vulnerable apps.
“They manually confirmed the vulnerabilities for 57 applications, including popular mobile apps with 10 to 50 million downloads from official app marketplaces, and also an app that is pre-installed on a series of devices from one manufacturer,” the researchers say.
“The vulnerabilities in these apps are generally inherited from the various usage of the open port, which exposes the unprotected sensitive functionalities of the apps to anyone from anywhere that can reach the open port.”
No doubt, an open port is an attack surface, but it should be noted that port opened by an application can not be exploited until a vulnerability exists in the application, like improper authentication, remote code execution or buffer overflow flaws.
Besides this, an attacker must have the IP address of the vulnerable device, exposed over the Internet. But getting a list of vulnerable devices is not a big deal today, where anyone can buy a cheap cloud service to scan the whole Internet within few hours.
However, smartphones connected to the Internet via wireless network behind a router are less impacted by this issue, because in that case, attackers would need to be on the same wireless network as the victim.
To prove its point, the team of researchers has also demonstrated various attacks in a series of videos, posted below:
1. Using an app’s open ports to steal photos with on-device malware
2. Stealing photos via a network attack
3. Forcing the device to send an SMS to a premium service
The easiest solution to this issue is to uninstall such apps that open insecure ports, or putting these applications behind a proper firewall could also solve most of the issues.