May 24 2017

New Scams and Research Find Vulnerabilities in Gmail and Android Apps

Risks in popular apps are emerging, and researchers and hackers alike are taking notice.

Earlier this month, some Android users of Gmail may have received a familiar email with a link inviting them to collaborate on a Google Doc, perhaps from a fellow student, teacher or family member. However, clicking on the link would result in a hack of the user’s Google account.

Campus Technology reports that Google stopped the attack after about 1 million users had received at least one of the phishing emails.

Since the attack, Google has released an update to its Android app that warns users if they click a potentially phony link: “The site you are trying to visit has been identified as a forgery intended to trick you into disclosing financial, personal or other sensitive information,” the alert reads.

Although Google says on its blog that all emails they flag might not really be dangerous, the alert should serve to remind users to be extra careful about clicking on links.

U of M Researchers Spot Holes in Hundreds of Apps

A research report from the University of Michigan released around the same time as the Gmail phishing scam reveals that hundreds of Android apps have “wormholes” (i.e., open ports) that allow a bad actor to exploit a mobile device, reports Campus Technology.

Researchers in Michigan’s Electrical Engineering and Computer Science department found 410 apps in the Google Play store that had wormholes “with dangerous insecurities and 956 potential exploits in total,” including an app that comes preinstalled on some Android devices.

Campus technology reports that, using a static analysis tool they created, the research team analyzed about 100,000 apps and identified and characterized the open port usage.

From its analysis, the university found five main reasons for open port usage:

  • Data sharing that opens a path from a hacked device to a remote host. Sixty percent of these do not require client authorization.
  • A proxy path that forwards input requests to other destinations.
  • Remote execution, which triggers specific actions like an SMS.
  • A Voice over IP phone system, which can listen to incoming call requests and spoof caller IDs to make phishing much easier.
  • Adobe PhoneGap, which creates paths on apps by Gap/Cordova. U of M found these to be the most secure.

In their research report, the U of M team indicates that the traditional protection from open port usage — a firewall — was not the most viable option for smartphone users because “it is hard for individual users to configure suitable firewall rules for each app installed on the device.”

The research team recommends that app users ensure valid and proper authentication for anything connecting to their device.


Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.