Android Apps Are Conspiring to Steal Your Data

Apps on the average Android device have access to mountains of personal information. Thanks to broad and oftentimes unnecessary permission settings, these apps know users’ exact location, email information, passwords, credit cards numbers and expiration dates, health status, browsing habits, and more; the list goes on. What’s even worse is that apps are now sharing this wealth of information with each other, filling in information gaps to provide app developers with an unsettling amount of private data.

According to a recent study undertaken by security researchers at Virginia Tech, apps have been trading information, some with an intention to mine private user data. Using a software tool named DIALDroid, which was custom-built for the study, researchers were able to uncover more than 23,000 such colluding pairs. In particular, researchers pinpointed a relatively small number of sender apps involved in a vast majority of the uncovered, colluding pairs.

Read More: Using a OnePlus? Be Aware of These Security Vulnerabilities

The Culprits
The worst offenders were often those apps that appeared entirely innocent on the surface. The apps most likely to engage in this collusion practice were ones that provided users with wallpapers, ringtones, new emojis, and even flashlight services. In one instance, a torch app leaked the geolocation and contact data of users. In another instance, an app designed to provide Muslim users with prayer times made location data available to other apps within the same device.

The Good News and the Bad News
According to Daphne Yao, a member of the security research team, the actual rate of collusion between these compromising apps is generally quite low. On the other hand, Yao notes that now that the security flaw has been exposed, it is more likely to be taken advantage of by hackers. Developers of malicious apps who have been made aware of the breach might be inclined to exploit this flaw. In addition, while the rate of collusion was low, the recorded information-sharing instances displayed a reckless attitude towards private data.

Regardless of whether app sharing is intentional by individual apps, this type of security flaw still poses a danger for serious security breaches. Malicious apps looking to take advantage of this opening have the potential to collude with unsuspecting, authentic apps. In fact, a malware attack targeting Google accounts in 2016 did just that. By accessing login information through malicious apps’ collusion with Google apps, hackers were able to breach more than one million accounts across Asia and the Americas. If you’ve never paid much attention to the permissions that you give certain apps, it’s time to start paying attention.