Google patches Android flaw that allows phishing apps to spoof genuine ones

Advertisement
By NDTV Correspondent | Updated: 16 April 2014 14:17 IST
Google has released a patch that fixes a security vulnerability in Android related to app permissions. Security firm FireEye discovered late last year that apps could modify the icons of other apps on Android home screens and make them point to any other app or website, which would allow attackers to divert users to fake versions of trusted apps and websites in order to steal information.

The security lapse is possible because until now, apps have been able to modify the Android launcher's Read and Write attributes without explicitly asking for user permission. These permissions had previously been classified as "normal", indicating there was no known potential for abuse. "Normal" permissions are not displayed to the user prior to app installation, unlike more sensitive ones such as allowing access to location data, contacts, and the camera.

However, attackers could easily modify icons to point to malicious websites or apps that spoof the interfaces of known, trusted ones, such as banking and shopping apps. Commonly known as phishing, this kind of malware tricks users into entering their PIN numbers, passwords or credit card information, which are then stolen.

The problem affects devices up to and including those running Android 4.4.2, the most recent version. Custom Android skins including those of Samsung and HTC, as well as the aftermarket CyanogenMod, were found to be vulnerable.

FireEye demonstrated a proof of concept app which made it past Google's security scans and was briefly live in the Google Play store, but was withdrawn before anyone could accidentally download it. No requests for permissions were displayed to test users on a Nexus 7 tablet.

Google has now acknowledged the problem and has released a patch to Android device manufacturers, but it will be up to them to decide which devices will receive updates, and when. Android fragmentation is a known problem, and many devices might never be updated. Users must therefore be constantly vigilant of potential phishing attacks.

Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.

Advertisement

Related Stories

Popular Mobile Brands
  1. Vivo Y500 4G Makes Global Debut With an 8,100mAh Battery: See Price
  2. Xiaomi 18 Pro Max Prototype Leaked With Dual 200MP Cameras, 100W Charging
  3. Moto G77 Power Listing Confirms Key Specifications Before July 8 Debut
  4. Samsung Galaxy Z Fold 8 Series, Galaxy Flip 8 Price Leaked Ahead of Debut
  5. Best Amazon Prime Day Laptop Deals for Students
  6. Samsung Galaxy Z Fold 8 Series Could Ship With This Notable Display Upgrade
  1. Apple Brings Back Card Payments for App Store and iCloud Transactions in India After Five Years
  2. Samsung Galaxy Z Fold 8 Series Tipped to Launch With a New Hinge to Minimise Display Crease
  3. Huawei Mate X8 Display, Camera Details Leaked Online; Mate XT 2 and Mate X8 Said to Launch With Kirin Processor
  4. Redmi Said to Be Working on 7-Inch 'Performance' Smartphone
  5. Bitcoin Trades Near Two-Week High as Crypto Investor Sentiment Improves
  6. iOS 27 System Prompt Reportedly Hints at Apple’s New Smart Wearable With Two Cameras
  7. Xiaomi Civi Series Discontinued With No Next-Generation Model Planned, Claims Tipster
  8. Apple’s Foldable iPhone to Hit Shelves Later Than Anticipated Due to ‘Manufacturing Challenges’, Analyst Claims
  9. Samsung Galaxy F70 Pro Bluetooth SIG Listing Suggests Its Launch Might Be Right Around the Corner
  10. iPhone Air 2 Design Leaked in New Renders That Point to Dual 48-Megapixel Cameras
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2026. All rights reserved.