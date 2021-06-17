



Until recently, Google’s Android app of the same name, which has been installed more than 5 billion times, contained a vulnerability that could allow an attacker to quietly steal personal data from a victim’s device.

In a blog post, Sergey Toshin, founder of mobile app security startup Oversecured, said the vulnerability was related to how Google apps rely on code that isn’t bundled with the app itself. I did. Many Android apps, including Google apps, rely on code libraries already installed on Android smartphones to reduce download size and storage space required to run.

However, a code flaw in the Google app was tricked into pulling the code library from a malicious app on the same device rather than a legitimate code library, and the malicious app inherited Google app permissions and was nearly It meant that we might allow full access to the user’s data. This access includes access to your Google account, search history, email, text messages, contacts, and call history, as well as the ability to trigger your microphone and camera to access your location.

According to Toshin, a malicious app needs to be launched once for the attack to work, but the attack takes place without the victim’s consent. Removing a malicious app doesn’t remove the malicious component from the Google app, he said.

A Google spokeswoman told TechCrunch that the company fixed the vulnerability last month, but there was no evidence that the flaw was exploited by an attacker. Google Play Protect, a malware scanner built into Android, aims to prevent the installation of malicious apps. However, there is no perfect security feature, and malicious apps have previously slipped through the net.

According to Toshin, a vulnerability in the Google app is similar to another bug discovered by a TikTok startup earlier this year, when exploited by an attacker to steal a TikTok user’s session token and control their account. There is likely to be.

Oversecured has discovered several other similar vulnerabilities, including the Google Play app for Android and, more recently, the app pre-installed on Samsung phones.

