In today’s episode of “Android security bad,” researchers at the University of Michigan have uncovered over 400 apps currently hosted in Google Play – some with tens of millions of installs – that are susceptible to open port malware attacks and data theft. As always, million of users are at risk but we don’t know how many, if any, have actually been affected.

The researchers built a custom tool to analyze tens of thousands of apps in Google’s Android market, identifying 410 that create unprotected open ports on the smartphones they are installed on. These open ports can then be targeted by hackers to steal user data or remotely install malware. The research team identified multiple attack vectors on a sample of those apps, but the full list of affected apps were not named (although they have been reported).

See also:

Google testing new way to learn from your data while protecting privacy

April 10, 2017

The team identified just shy of a thousand total exploits across the affected apps, manually confirming the vulnerability on 57 of them, “including popular ones with 10 to 50 million downloads on the official market, and also an app that is pre-installed on some device models” (AirDroid).

As is usually the case with these stories, we are not told how to minimize the risk, with the task of protecting our data seemingly left up to the goodwill of developers. While the exploits detailed in the research paper could be quite damaging under certain circumstances, we’ll just have to hope they are addressed and patched before any bad actors attempt to take advantage of them.

Kris Carlon
Kris Carlon is a Senior Editor at Android Authority. He is a half-British Australian who lives in Berlin, travels a lot and is always connected to a laptop, phone, smartwatch or tablet (and occasionally a book).
  • tiger

    Oh no, Android security is top notch!

  • Karabo Sello

    Google is shit when it comes to Android security, very lazy People don’t seem to bother to try harder to identify these sorts of things

    • Daggett Beaver |dBz| ✓ᵛᵉʳᶦᶠᶦᵉᵈ

      Google is shit when it comes to just about everything these days. Even Chrome is sucking more and more. It was my favorite browser. But there’s no viable alternative. Opera is based on Chrome. And Firefox is a pain in the butt and slow. And do NOT suggest Edge.

      • donvitocorleone

        Try Vivaldi browser. Based on Chromium but it has a serious team behind it.

  • John Doe

    And Google has removed these apps from the Play store already? Yes/No??
    Maybe even auto-deleting them from users phones would be an idea .. (especially if they are not going to tell us which apps are subject to these issue!!)

    Do the same apps exist in iOS and do they have the same vulnerabilities?

    • Jason

      What difference does it make to Android users if iOS has the same issues. Will that make you feel better ?

      • John Doe

        Jason, if you don’t care then fine! thanks for letting us ALL know that you don’t care!!
        and I hope that makes YOU feel better! No? Too Bad, time to move on ..

    • Linus

      Not sure if these “open ports” would be somehow be “protected” by iOS. If not, then I guess it’s the same problem there.

  • Sintae

    ok, so which apps?

  • Sunraw X

    Nothing is garanteed…

  • cavanaughnick

    Since when is AirDroid pre installed on any device?

  • Grant D

    A SHAMEFUR DISPRAY!!!!!!!!!!!!!!!!!!

  • Don Low

    At least those apps don’t want you to promote them on Social Media and promise the latest free phone and never delivers like Android Authority….

  • donvitocorleone

    Why cant they name the apps?