Published on July 29th, 2019 📆 | 7742 Views ⚑
0An Android Spy App Left 1.7 Million Passwords And Nude Photos Exposed To Hackers
Android "tracker" apps aimed at couples and concerned parents are being widely sold on Google Play, even though many contain serious vulnerabilties. Good guy hackers say they can be turned into espionage software.
2017 Getty Images
Google Play is full of apps that are marketed at couples and parents who want to spy on their loved ones. As Forbes has previously detailed, those same apps are often used in abusive relationships and installed by the abuser on the victimâs phone without the latter knowing. But it turns out a large number of them contain some basic but shocking vulnerabilities that could allow anyone to login and spy on phones running the software.
In the most worrisome example, an app called Couple Vow exposed 1.7 million user passwords, completely unprotected and in plain text. Anyone who had access to an account wouldnât just have all the location, text and call data of whoever was being tracked, but all content sent through the appâs messaging feature. A separate vulnerability in the appâs database meant hackers (thankfully benevolent ones in this case) could grab all 1.7 million usersâ data in tranches of information. In some cases that included nude images.
The leak was uncovered by researchers from the Germany-based Fraunhofer Institute for Secure Information Technology, who are delivering their findings at the DEF CON hacking convention in Las Vegas on Saturday. Their talk is bluntly titled âAll Your Family Secrets Belong To UsâWorrisome Security Issues In Tracker Apps.â
Couple Vowâs weaknesses were rudimentary to say the least. In one case, all the researchers had to do was request the data from the app server, using whatâs known as a GET request. There was no need to enter a username or password. And all user logins were left completely unencrypted, readable to anyone with an internet connection. âYou do not even have to attack the server. A single GET request gets you allt the data as there was no authetnicatcaion at all,â SIT security researcher Siegfried Rasthofer told Forbes.
Another vulnerability in the app allowed the researchers to draw out images, nine at a time. When they tried to see if their own image was accessible by exploiting the loophole, they found other photos coming through, including a nude. (The researchers didnât actually download anyone elseâs images; they were only previews stored in the browser, the cache of which was swiftly deleted.)
The developers of Couple Vow did not respond to multiple requests for comment.
Another 18 tracker apps with millions of users were also probed by Rasthofer and his colleagues Stephan Huber and Steven Arzt over the course of last year. All contained weaknesses that could be exploited to access accounts, including login bypasses and unprotected communications.
Consumer spyware companies have been hacked by less well intentioned hackers over the last year. Thai firm FlexiSpy and American company Retina-X were reportedly compromised last year.
Google 'slow to respond'
Some app developers responded to Rasthoferâs warnings, but many remain online and vulnerable, incuding Couple Vow.
And he was critical of Googleâs response to his teamâs disclosure. âThe communication with Google was not awesome,â he said. âIt was slow and we had to push them. ... It didnât directly affect Googleâthis is maybe the reason.â He said Google removed a handful of the apps from the Play store, but some were left up.
Google hadnât responded to a request for comment at the time of publicationďťż.
">
Google Play is full of apps that are marketed at couples and parents who want to spy on their loved ones. As Forbes has previously detailed, those same apps are often used in abusive relationships and installed by the abuser on the victimâs phone without the latter knowing. But it turns out a large number of them contain some basic but shocking vulnerabilities that could allow anyone to login and spy on phones running the software.
In the most worrisome example, an app called Couple Vow exposed 1.7 million user passwords, completely unprotected and in plain text. Anyone who had access to an account wouldnât just have all the location, text and call data of whoever was being tracked, but all content sent through the appâs messaging feature. A separate vulnerability in the appâs database meant hackers (thankfully benevolent ones in this case) could grab all 1.7 million usersâ data in tranches of information. In some cases that included nude images.
The leak was uncovered by researchers from the Germany-based Fraunhofer Institute for Secure Information Technology, who are delivering their findings at the DEF CON hacking convention in Las Vegas on Saturday. Their talk is bluntly titled âAll Your Family Secrets Belong To UsâWorrisome Security Issues In Tracker Apps.â
Couple Vowâs weaknesses were rudimentary to say the least. In one case, all the researchers had to do was request the data from the app server, using whatâs known as a GET request. There was no need to enter a username or password. And all user logins were left completely unencrypted, readable to anyone with an internet connection. âYou do not even have to attack the server. A single GET request gets you allt the data as there was no authetnicatcaion at all,â SIT security researcher Siegfried Rasthofer told Forbes.
Another vulnerability in the app allowed the researchers to draw out images, nine at a time. When they tried to see if their own image was accessible by exploiting the loophole, they found other photos coming through, including a nude. (The researchers didnât actually download anyone elseâs images; they were only previews stored in the browser, the cache of which was swiftly deleted.)
The developers of Couple Vow did not respond to multiple requests for comment.
Another 18 tracker apps with millions of users were also probed by Rasthofer and his colleagues Stephan Huber and Steven Arzt over the course of last year. All contained weaknesses that could be exploited to access accounts, including login bypasses and unprotected communications.
Consumer spyware companies have been hacked by less well intentioned hackers over the last year. Thai firm FlexiSpy and American company Retina-X were reportedly compromised last year.
Google 'slow to respond'
Some app developers responded to Rasthoferâs warnings, but many remain online and vulnerable, incuding Couple Vow.
And he was critical of Googleâs response to his teamâs disclosure. âThe communication with Google was not awesome,â he said. âIt was slow and we had to push them. ... It didnât directly affect Googleâthis is maybe the reason.â He said Google removed a handful of the apps from the Play store, but some were left up.
Google hadnât responded to a request for comment at the time of publicationďťż.
Gloss