Researchers at Leibniz University of Hannover and Philipps University of Marburg in Germany have uncovered 41 Android apps in the Google Play store that are leaking sensitive data due to “Man-in-the-middle” attack, ranging from credit card information and email content to social networking site passwords. “Man-in-the-middle” attacker creates a fake Wi-Fi hotspot and uses a specially created attack tool to spy on the data the apps sent via that route.
“To evaluate the real threat of such potential vulnerabilities, we have manually mounted MITM attacks against 100 selected apps from that set. This manual audit has revealed widespread and serious vulnerabilities. We have captured credentials for American Express,Diners Club, Paypal, Facebook, Twitter, Google, Yahoo,Microsoft Live ID, Box, WordPress, IBM Sametime, remote servers, bank accounts and email accounts. We have succesfully manipulated virus signatures downloaded via the automatic update functionality of an anti-virus app to neutralize the protection or even to remove arbitrary apps, including the anti-virus program itself. It was possible to remotely inject and execute code in an app created by a vulnerable app-building framework. The cumulative number of installs of apps with confirmed vulnerabilities against MITM attacks is between 39.5 and 185 million users, according to Google’s Play Market.
The results of our online survey with 754 participants showed that there is some confusion among Android users as to which security indicators are indicative of a secure connection, and about half of the participants could not judge the security state of a browser session correctly. We discussed possible countermeasures that could alleviate the problemsof unencrypted traffic and SSL misuse. We oer MalloDroid as a first countermeasure to possibly identify potentially vulnerable apps.”