Home
Mobiles
Mobiles News
Google patches Android flaw that allows phishing apps to spoof genuine ones

Google patches Android flaw that allows phishing apps to spoof genuine ones

By NDTV Correspondent | Updated: 16 April 2014 14:17 IST

Google has released a patch that fixes a security vulnerability in Android related to app permissions. Security firm FireEye discovered late last year that apps could modify the icons of other apps on Android home screens and make them point to any other app or website, which would allow attackers to divert users to fake versions of trusted apps and websites in order to steal information.

The security lapse is possible because until now, apps have been able to modify the Android launcher's Read and Write attributes without explicitly asking for user permission. These permissions had previously been classified as "normal", indicating there was no known potential for abuse. "Normal" permissions are not displayed to the user prior to app installation, unlike more sensitive ones such as allowing access to location data, contacts, and the camera.

However, attackers could easily modify icons to point to malicious websites or apps that spoof the interfaces of known, trusted ones, such as banking and shopping apps. Commonly known as phishing, this kind of malware tricks users into entering their PIN numbers, passwords or credit card information, which are then stolen.

The problem affects devices up to and including those running Android 4.4.2, the most recent version. Custom Android skins including those of Samsung and HTC, as well as the aftermarket CyanogenMod, were found to be vulnerable.

FireEye demonstrated a proof of concept app which made it past Google's security scans and was briefly live in the Google Play store, but was withdrawn before anyone could accidentally download it. No requests for permissions were displayed to test users on a Nexus 7 tablet.

Google has now acknowledged the problem and has released a patch to Android device manufacturers, but it will be up to them to decide which devices will receive updates, and when. Android fragmentation is a known problem, and many devices might never be updated. Users must therefore be constantly vigilant of potential phishing attacks.

Comments

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.