Security firm FireEye has discovered a major security flaw in Google’s mobile operating system, ComputerWorld reports, which could allow an attacker to modify the behavior of an app icon in the launcher in order to send users to a malicious site that would collect personal data. It’s not clear whether any apps in the Google Play Store, or anywhere else, have already used this particular security issue to steal data from users. Google has apparently acknowledged the problem and already released a patch to OEM partners, though it will be a while until the fix hits affected Android devices.
“Many Android vendors were slow to adapt security upgrades. We urge these vendors to patch vulnerabilities more quickly to protect their users,” the company wrote.
For the purpose of demonstrating the flaw, FireEye published its Android app in the Play Store, proving that Google’s filters won’t prevent such phishing apps from being brought to the app store. Once installed on a device, the application would then be able to covertly take over the icon of certain apps – such as mobile banking applications – and send users to malicious websites that would then trick them into entering their personal details.
The app apparently uses “normal” app permissions, with FireEye having demoed its proof-of-concept attack on a Nexus 7 running Android 4.4.2. The company also said that apps with this phishing feature could work on many other devices, including smartphones and tablets that don’t use the “Launcher” functionality in AOSP – the company tested a Galaxy S4 running Android 4.3, a HTC One on Android 4.4.2 and a Nexus 7 running CyanogenMod 11, coming up with the same results.
Recently, Google issued an update to ‘Verify apps’ security feature to better monitor app behavior on a smartphone. Before that, it was discovered that legit Google Play Store apps were able to covertly turn millions of devices in miners for digital currency.