Over 1,000 of the 13,500 most popular Android apps show signs of a flawed and insecure implementation of the SSL/TLS encryption protocol, new research showed.
Tests performed on 100 selected apps confirmed 41 of them were vulnerable to known attacks, according to researchers. They were able to harvest users’ bank and credit card details as well as the access tokens for their Facebook, Twitter and email accounts, and messaging services, said the researchers from Leibniz University in Hannover, Germany and Philipps University in Marburg, Germany.
In one test, the researchers injected a bogus virus signature into Zoner AntiVirus for Android that referred to the app itself. The AV app proceeded to classify itself as a threat and then offered to delete itself.
The researchers first examined the apps for typical signs the code might insufficiently check the certificates which verify a communication partner’s identity. As they could not be completely certain the identified code was actually in play, they then carried out targeted man-in-the-middle attacks to crack the encrypted connection.
The vulnerabilities they found are in two categories: 20 apps simply accepted any certificate, while the other 21 did check whether the certificate carried a valid signature, but didn’t verify whether it was with the correct name. This allowed the security experts to fool the anti-virus software with a valid certificate for its own server.
The researches plan to release the MalloDroid tool they developed for their code analysis. While the experts haven’t disclosed any actual names, the affected applications are some of the popular items. Google Play said users have installed the affected apps 39.5-185 million times.