Security loopholes in Android OS, social media putting 550m users' data at risk, Hong Kong researchers say

PUBLISHED : Friday, 10 July, 2015, 8:18am
UPDATED : Friday, 10 July, 2015, 8:18am

Over 550 million people worldwide are at risk of having their data hacked due to security loopholes in the Android phone or social media platforms they use, researchers in Hong Kong claim. 

Hackers can use malware to tap into Google Voice Search, the voice assistant module that is pre-installed on some Android devices, without the owner needing to ever activate the software, according to Professor Zhang Kehuan at the Chinese University of Hong Kong (CUHK)’s information engineering department. 

The attack bypasses the operating system’s protection mechanism by targeting the device’s loudspeaker, he said.

Android apps have in the past been found to access users' personal data without notifying them. A recent US-China study showed that one in 10 Android apps contain malicious code.

“We suggest that smartphone owners only use apps provided by the official stores and avoid installing them from untrustworthy sources,” Zhang said.

Social media sites that allow people to sign in using their pre-existing accounts on Facebook, Twitter or another third-party site represent the second danger area, said Professor Lau Wing Cheong, one of Zhang’s colleagues who headed up a second research team.

To facilitate this, Instagram, LinkedIn and the two aforementioned sites use an authentication protocol called OAuth 2.0. 

It is also popular among Chinese social networks like microblogging site Weibo, Douban, which focuses on arts and cultural exchanges, and Renren, a platform once dubbed “China’s Facebook” that has since fallen on hard times. 

But a security flaw in the coding of this protocol allows the site to access the data of people’s previous social media accounts when they register, Lau said.

Lau said the team has “informed all the affected OSN [online social network] providers and proposed solutions that can be readily developed”. 

When the team discovered the Android bug, which proved effective in spite of phone-locking passwords, it also reached out to Google, Android’s developer. 

The US search engine giant responded by saying it had updated the system to make the devices almost impregnable when locked, but that the hacking risk remained whenever unlocked. 

Zhang said the team had not tested other operating systems yet such as Apple’s iOS.

Android dominates the market, accounting for 78 per cent of all smartphone users in the first quarter of 2015, according to the International Data Corporation. 

Facebook has 1.44 billion monthly active users while Twitter has 302 million, according to the companies’ official profiles