Millions of people worldwide are using vulnerable Android apps that are leaking the personal data of the users’, according to researchers from Germany’s Leibniz University of Hannover and Philipps University of Marburg.
Researchers, who tried to hack a sample of 100 of the vulnerable apps, tested 13,500 Android apps and found that about 8% failed to protect bank account and social media logins.
Researchers used an automated tool called MalloDroid to detect ‘man-in-the-middle’ (MITM) attacks, and of the 100 apps, 41 of them were confirmed to be vulnerable.
A Samsung Galaxy Nexus smartphone running Android 4.0 Ice Cream Sandwich was also used by the researchers to carry out all the tests.
Researchers said that from these 41 apps, they were able to capture credentials for American Express, Diners Club, Paypal, bank accounts, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, remote control servers, arbitrary email accounts, and IBM Sametime, among others.
The researchers created a fake Wi-Fi hot spot and mounted an attack that spied on data sent and received by the apps.
By using fake Wi-Fi hot spot, researchers were able to capture log-in details for online banking, social media, email services, corporate networks as well as disable security software.
For the study, the researchers surveyed 754 users, whose average age was 24 years, and of the respondents, about 61.9% did not have IT-related education or jobs.