Last week HackRead exclusively reported how a Fidget more spin app on Play Store is sending other apps data on an Android device to a server based in China. Now, security firms Pradeo’s researchers have identified that a popular game app on Play Store is performing quite a few unfavorable functions than what it is supposed to be.
According to their findings, the app called Dune! is actually plagued with a number of OWASP flaws and is constantly leaking sensitive data. It is also claimed that Dune! can facilitate the execution of denial of service attacks and can also perform data corruption.
It is rather unfortunate that Dune! has been downloaded 5 to 10 million times only in the past few weeks and currently is it listed in the Top Apps category of the Play Store.
Dune! on Play Store
The app can leak critical private data including country code, device manufacturer, server provider, device’s commercial name, type of telephone network, battery level, device model number and operating system. Furthermore, it can also geolocate the device user although it is a gaming app and this sort of functionality is not required for the execution of the game.
It was noted that the stolen data is sent to 32 servers and due to the presence of 11 OWASP vulnerabilities including those that provide permission to other apps for bypassing security access, it is possible for third parties to collect sensitive data. Moreover, the app contains an excessively high number of external libraries and half of them are enabled with the capability of tracking users and obtaining as much information as possible.
In their official blog post, the researchers wrote that the app has 20 libraries, which is an above average number, and these libraries silently connect the device to unknown servers and perform data leakage.
Then there are the Broadcast-Service and Broadcast-Receiver vulnerabilities that also allow data leakage and denial of service attack to be executed. Also present is the URL canonicalization vulnerability that eventually paves way for directory traversal vulnerability and the X.509Trustmanager bug allows an attacker to access and read transmitted data as well as modify it on HTTPS connection.
It is evident that this app can be really dangerous for users especially government employees because sensitive data will be leaked without the knowledge of the user. An attacker can easily get to know the exact location of the user and use the information while performing other attacks.
