Hundreds of Android applications on the Google Play store have a security flaw that lets attackers take control of the devices on which they are installed to enable them to steal data or install malware.
Vulnerable applications include some that have been downloaded between 10 and 50 million times and at least one that comes pre-installed on Android smartphones.
Those are the findings of researches at the University of Michigan, Ann Arbor who examined thousands of Android applications for their susceptibility to attacks via open ports.
An ‘open port’, as the researchers noted in a just released technical report on their findings, is a communication interface that is typically used by server applications to receive requests from remote clients.
Improperly secured ports have long been a security issue for IT organizations responsible for protecting networks and mobile devices because they provide a way for attackers to gain access to systems and data. Some of the most widespread attacks in recent years—including attacks exploiting the Heartbleed flaw—were enabled via open ports, they noted. Numerous tools are available that allow almost anyone to scan the network for computers with open ports that can be exploited.
The security implications of open ports are well understood in the server context, but have not been explored adequately in the mobile context, the researchers said in the paper.
Though smartphone operating systems such as Android incorporate support for open ports, there is little understanding among the security community about how and why mobile applications use them, the researchers said.
To understand the issue a little better, the researchers developed a tool they dubbed OPAnalyzer to identify open port usage in Android applications. The researchers used OpAnalyzer on more than 24,000 Android apps in Google Play, including some of the most popular ones in the app store.
The exercise revealed that 1,632 Android apps or about 6.8 percent of the total have open port functionality. About half of these applications had more than 500,000 downloads. The apps used open ports for several reasons including data sharing, text messaging, Voice over IP calls, remote execution and to share files between devices in close proximity to each other.
The researchers used their OPAnalyzer tool to check what kind of security controls and constraint mechanisms mobile app developers have incorporated into their applications in order to protect port usage. The researchers looked for applications with weak controls and those that leave ports open by default or had no mechanism for controlling access to the port by rogue services.
The analysis showed some 410 applications to be vulnerable to attacks via they used open ports. In total, they discovered 956 potential exploits that could be used against the vulnerabilities.
“The exploits can lead to a large number of severe security and privacy breaches,” the researchers said. They give attackers a way to remotely install malware and to steal sensitive data from devices including security credentials, location data, contacts and photos.
The researchers said they had reported their discoveries to many app developers, some of whom have already fixed the problem. In addition, the researchers have also proposed countermeasures the developers can take to make port usage safer on their applications.