Dune! Game App Leaking Sensitive Data of Millions of Android Users

Haythem Elmir
0 1
Read Time1 Minute, 54 Second

Last week HackRead exclusively reported how a Fidget more spin app on Play Store is sending other apps data on an Android device to a server based in China. Now, security firms Pradeo’s researchers have identified that a popular game app on Play Store is performing quite a few unfavorable functions than what it is supposed to be.

According to their findings, the app called Dune! is actually plagued with a number of OWASP flaws and is constantly leaking sensitive data. It is also claimed that Dune! can facilitate the execution of denial of service attacks and can also perform data corruption.

It is rather unfortunate that Dune! has been downloaded more than 5 to 10 million times only in the past few weeks and currently is it listed in the Top Apps category of the Play Store.

Dune! Game App on Play Store Leaking Sensitive Data of Users

The app can leak critical private data including country code, device manufacturer, server provider, device’s commercial name, type of telephone network, battery level, device model number and operating system. Furthermore, it can also geolocate the device user although it is a gaming app and this sort of functionality is not required for the execution of the game.

It was noted that the stolen data is sent to 32 servers and due to the presence of 11 OWASP vulnerabilities including those that provide permission to other apps for bypassing security access, it is possible for third parties to collect sensitive data. Moreover, the app contains an excessively high number of external libraries and half of them are enabled with the capability of tracking users and obtaining as much information as possible.

In their official blog post, the researchers wrote that the app has 20 libraries, which is an above average number, and these libraries silently connect the device to unknown servers and perform data leakage.

Then there are the Broadcast-Service and Broadcast-Receiver vulnerabilities that also allow data leakage and denial of service attack to be executed. Also present is the URL canonicalization vulnerability that eventually paves way for directory traversal vulnerability and the X.509Trustmanager bug allows an attacker to access and read transmitted data as well as modify it on HTTPS connection.

To read the original article:

Dune! Game App Leaking Sensitive Data of Millions of Android Users

 

Happy
Happy
0 %
Sad
Sad
0 %
Excited
Excited
0 %
Sleepy
Sleepy
0 %
Angry
Angry
0 %
Surprise
Surprise
100 %

Average Rating

5 Star
0%
4 Star
0%
3 Star
0%
2 Star
0%
1 Star
0%

Laisser un commentaire

Next Post

Iran Used "Triton" Malware to Target Saudi Arabia: Researchers

The recently uncovered malware known as “Triton” and “Trisis” was likely developed by Iran and used to target an organization in Saudi Arabia, according to industrial cybersecurity and threat intelligence firm CyberX. FireEye and Dragos reported on Thursday that a new piece of malware designed to target industrial control systems […]