Open Port Exploits Found In Play Store Apps


Researchers with the University of Michigan recently combed over the Play Store and found that over 400 apps from the sample that they drudged up left some ports open and unsecured in the connections of devices that they were used on, leaving the door open for hackers to compromise those devices. They used a program called OPAnalyzer to scrape around for exploits in a whopping 24,000 apps across various categories in the Play Store, then checked 57 of the positive results by hand. The apps that were found to be vulnerable included a number of widely popular apps with tens of thousands of downloads, with AirDroid being one of the more popular examples.

Apps from the likes of Baidu and Tencent were found to be vulnerable, among others. The researchers discovered trends with apps having certain permissions being more likely to be vulnerable. Some of the most common app permissions found to be linked to vulnerabilities are also some of the most commonly found in apps. These include things like the ability to write to external storage, location permissions, contacts access, and permission to use the camera. Protocols and APIs like data sharing, VoIP functionality, and proxy usage also tended to be linked to apps that featured the open port access vulnerability.

While the vulnerabilities that were found don't seem to have been exploited by anybody at this point, the results shine a light on a glaring issue with the Play Store. The Play Store and its Verify Apps feature can detect malware, exploits, and other nastiness actually hidden inside apps, it doesn't actively seek out security holes in apps that could give hackers an open door to compromise users' devices, insert malicious code into the apps themselves, or otherwise do things that aren't supposed to be done with apps in the Play Store. It's obviously not feasible to scan every single submitted app for every known exploit, given the massive number of both, so it becomes a question of what has to be accepted in order to keep the submission and listing systems flowing with minimal security risk, and the current approach is a fairly good compromise.

Share this page

Copyright ©2017 Android Headlines. All Rights Reserved.

This post may contain affiliate links. See our privacy policy for more information.
Senior Staff Writer

Daniel has been writing for Android Headlines since 2015, and is one of the site's Senior Staff Writers. He's been living the Android life since 2010, and has been interested in technology of all sorts since childhood. His personal, educational and professional backgrounds in computer science, gaming, literature, and music leave him uniquely equipped to handle a wide range of news topics for the site. These include the likes of machine learning, Voice assistants, AI technology development news in the Android world. Contact him at [email protected]

View Comments