Snynet Solution Logo
MON - SUN: 10 AM - 6 PM
+60 11 5624 8319

Blog

This Android security flaw could let hackers follow all your movements

Image Description

An innocuous-looking feature on Android devices was accidentally discovered by cybersecurity researchers as a means of spying on the whereabouts of another user, without the need to install additional stalkerware apps.

Malwarebytes researcher Pieter Arntz discovered the issue after he signed in to his Google account on his wife’s smartphone. Unexpectedly however, this enabled him to track the movements of his spouse using the Google Maps Timeline feature. 

“After I logged out of Google Play on my wife’s phone the issue was still not resolved. After some digging I learned that my Google account was added to my wife’s phone’s accounts when I logged in on the Play Store, but was not removed when I logged out after noticing the tracking issue,” noted Arntz.

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window

Arntz subsequently reported the issue to Google, but was told that the behavior is infact a feature and not really a bug.

Flawed feature

While Google might treat this as a legitimate feature, and not a bug, Malwarebytes, as one of the founding members of the Coalition against Stalkerware (CAS), is treating it as a potential flaw since its misuse would constitute what it refers to as “tech enabled abuse.”

“This is more aptly a design and user experience flaw. However, it is still a flaw that can and should be called out, because the end result can still provide location tracking of another person’s device,” asserts Artnz.

He suggests a handful of things Google could improve to prevent the feature from being misused. 

For starters, Google needs to rein in the overzealous nature of the feature. Since the timeline feature was enabled in Arntz’s device and not his wife’s he feels he shouldn’t be receiving the locations visited by her phone, in the first place.

Secondly, although he received a warning when he signed into his account on her phone, Google should ensure a similar “someone else logged into Google Play on your phone” should also be sent to her wife’s phone.

Finally, Arntz feels that Google should do a better job of displaying the current logged in users instead of only showing the first letter of the Google account user.

For its part, Malwarebytes advises all Android users to check if any additional Google accounts have been added to their phone, and remove them manually to mitigate this risk of the flawed feature. 

Date

04 Sep 2021

Sources


Share


Other Blog

  • 7-zip vulnerability gives hackers the keys to the kingdom

    A threat actor could abuse the popular archiving app, 7-zip and gain elevated privileges on a device to which they already have access.

    A GitHub user going by the name Kagancapar discovered a zero-day vulnerability in 7-zip for the Windows operating system (OS). The findings, posted on GitHub, revealed that, "Windows allows privilege escalation and command execution when a file with the .7z extension is dragged to the Help>Contents area."

    Here’s how it works: a threat actor crafts a malicious file, and gives it a .7z extension (the one that an archive compressed with 7-zip can have). They then need to drag and drop that file onto the 7-zip help window, and run a command in admin mode.

    Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.

    Waiting for a patch

    After that, they’ll get elevated privileges on the target endpoint, allowing them to run more complex commands and run different apps. More details can be found in this proof-of-concept video.

    The vulnerability is now tracked as CVE-2022-29072. The latest 7-zip version is 21.07, released in late December last year, which means the zero-day was not yet patched. 

    Those worried about potentially being targeted through 7-zip can protect their virtual premises by deleting the 7-zip.chm file, Tom’s Hardware reported. Another method is to grant 7-zip only read and run permissions for all users. 

    The file compression company doesn’t seem to have commented on the vulnerability much, other than refusing to take responsibility for the flaw, given that it depends on Microsoft Help in Windows. However, as Kagancapar explained, dropping the malicious file on the Help window triggers a heap overflow in 7zFM.exe, which leads to the escalation of privilege, arguing that for this reason alone - it’s 7-zip who should be addressing the issue.

    7-zip is one of the three most popular file archiving applications, whose popularity is only rivaled by giants WinZIP and WinRaR. 

    Via: Tom's Hardware

    Read More
  • Bing receives a Microsoft-flavoured rebrand

    Rebrand looks to emphasise the role of Bing within the Microsoft family of products.

    Read More
  • Shop eBay’s Certified Refurbished Razer laptops this holiday season

    eBay’s Certified Refurbished Razer laptops can save you a ton of money while still meeting high standards.

    Read More
  • You’ll never need a password manager again, thanks to this new Chrome update

    Making purchases via Google Chrome will soon become a lot more secure.

    Read More

Find Out More About Us

Want to hire best people for your project? Look no further you came to the right place!

Contact Us