Even if denied access, thousands of Android applications can still track you

Researchers have found that there are thousands of applications that possess extremely sophisticated Android licensing system fraud, which can track devices even if you have denied access.

Normally when you download and install an Android application to your device, at the first launch, the application will ask you to grant certain access rights on the phone, depending on the purpose of the application. . In many cases, you don't want the application to interfere too deeply with your private data, such as access to location information, messages, or contacts . you refuse to grant permission and security. The application is completely "harmless", but it is not so.

  1. New Android Trojans lead users to phishing websites by notification on the application

Picture 1 of Even if denied access, thousands of Android applications can still track you
Refuse to grant application permissions

According to recent statistics, researchers have found that thousands of applications have a sophisticated Android licensing system that can track devices even if you have deny access. In particular, the type of data being violated the most is still information about the location. Even some of these applications can silently collect enough data to reveal your location in real time.

Thus, even if you refuse to grant the application full access, this may not be enough to 'disable' the application completely. The problem is that another application that you have granted access to can share the amount of data that they have access to the other application (this is rarely the case, and usually only occurs for those The application belongs to the same developer / publisher). The second more common case is that the collected information is left in free-sharing memory, where another application - not excluding malicious applications - is accessible.

  1. Many Android users discover that their phones have spyware installed after traveling to China

Picture 2 of Even if denied access, thousands of Android applications can still track you
Location data is still the top factor to be "sought"

In the case of two applications that seem irrelevant but still able to share data back and forth, security researchers have come to the conclusion: Most of these applications are build through the same set of software development tools (SDK), which is why they can access the data that the other application can access, and also have evidence of SDK owners receive data that the application sends. It is possible to associate this situation like when a child asks for ice cream, the mother worries that she has a sore throat and says 'no', while the father does not think it is a serious problem and agrees.

According to a study that was presented at PrivacyCon security conference 2019, security researchers talked about how many applications come from several big brands like Samsung and Disney (downloaded hundreds of millions of times). ), containing the behavior of automatically approaching and sharing the above data.

There is a pretty important similarity: these applications often use the SDK developed by Chinese search giant Baidu, and another market analytics company called Salmonads. This feature makes them able to 'silently' transmit user data from one application to another (and to the service server) by storing the data obtained in the phone memory itself locally. .

  1. 10 million Android users are tricked into downloading fake Samsung applications

Picture 3 of Even if denied access, thousands of Android applications can still track you
Commonly used applications SDK can share the collected data for each other

Security researchers also found that some applications developed on Baidu's SDK might try to get this amount of data to use for other complex purposes.

Besides, the team also found the appearance of some side channel gaps (side channels). Some of these can be sent to their servers with very interesting information such as the network MAC address and router's unique MAC address, wireless access point information, SSID, and many other data.

According to Professor Serge Egelman, director of the Usable Security and Privacy Group under the International Computer Science Institute (ICSI), one of the industry's leading security experts, it is not a coincidence that it is not a coincidence. collect information about MAC address or SSID . These are known as data that can replace the location data - the type of data that users are increasingly interested in, difficult to collect easily. before. Thus the ultimate goal is to determine the exact location of the user.

There are also some other even more sophisticated methods of data collection that have been recorded, such as Shutterfly's case. Research has shown that this photo application is able to send the actual GPS coordinates it collects to its server even if it is not granted location tracking by collecting the necessary information from the key. EXIF metadata - the type of data included in the photos you upload to Shutterfly. Although Shutterfly has argued that it has not collected any unauthorized data, the incident has caused the app's reputation to plummet.

238 applications found on Play Store contain malicious code that paralyzes smartphones

Picture 4 of Even if denied access, thousands of Android applications can still track you
Shutterfly commits not to collect unauthorized user data

In terms of the Android platform, the researchers say they have informed Google of vulnerabilities that allow "over-the-counter" applications to be granted access on the operating system last September. The problem has been promised by Google to "rectify" thoroughly in the latest version of Android Q. However, this may not be of much help for Android devices that can't (get) Android Q updates, and this number is not small at all. As of May 2019, only about 10.4% of current Android devices have the latest Android P installed, while more than 60% are still running on Android N version which is nearly 3 years old.

Researchers believe that Google should offer more practical measures. For example, they may release hotfixes for security updates for both older Android versions. It is completely absurd that only those who buy new phones, running on the new version of Android, are protected from complex vulnerabilities, as Google said: 'Privacy and protection are not and nor should it be considered a luxury product '.

  1. Please admire Android Q's Desktop Mode with more powerful features

Picture 5 of Even if denied access, thousands of Android applications can still track you
Google promises to "rectify" some of the known security issues in Android Q

Google declined to comment on the specific vulnerabilities mentioned above, but they confirmed that Android Q will hide geolocation information from all photo applications by default, and will also request broadcasters. Application developers must report to Play Store whether their products actually have location metadata access capabilities.

Update 09 July 2019
Category

System

Mac OS X

Hardware

Game

Tech info

Technology

Science

Life

Application

Electric

Program

Mobile