Thousands of Android apps in the Google Play store are flawed in ways that make supposedly secure connections vulnerable to meddling from third parties, who could steal personal and financial information.
A study of more than 13,000 popular free apps found that 17 percent of the apps had weak and insecure SSL/TLS connections — something absolutely essential when sending sensitive information, such as in a mobile banking app.
Attackers can exploit these flaws with man-in-the-middle (MITM) attacks that intercept data as it travels wirelessly.
To test the concept, the German study team, comprised of six researchers from Philipps University in Hamburg and Leibniz University in Hannover, managed to obtain credit-card numbers and account-login details in ways that it should not have been able to, Kaspersky's Threatpost security blog reported.
The team created a proof-of-concept app, dubbed MalloDroid, that's meant to sniff out exploitable SSL bugs. It netted nearly 1,100 of them.
"These 1,074 apps represent 17 percent of the apps that contain HTTPS URLs," the researchers said in their report, referring to apps that link to material from secure Web sources. "We have captured credentials for American Express, Diners Club, Paypal, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, IBM Sametime, remote servers, bank accounts and email accounts.
"We have successfully manipulated virus signatures downloaded via the automatic update functionality of an anti-virus app ... It was possible to remotely inject and execute code in an app created by a vulnerable app-building framework."
"The findings of our investigation suggest several areas of future work," the team, who will make MalloDroid available to consumers, said. "There seems to be a need for more education and simpler tools to enable easy and secure development of Android apps."
In other words, the affected apps should not be trusted with sensitive details such as credit-card numbers and login credentials. Unfortunately, Threatpost did not name the affected apps, and the academic paper that might list them is behind a paywall.
A synopsis of the paper said only that the apps had been installed by "between 39.5 [million] and 185 million users."
According to Threatpost, the researchers suggested that an Android-specific implementation of the Electronic Frontier Foundation's HTTPS Everywhere browser plug-in might solve the problem.
Follow Ben on Twitter.
