ANDROID users have been urged to steer clear of a dodgy app with 100million downloads on the Google Play Store.
US cyber security buffs warn in a new report that the Go SMS Pro messaging app exposes the private photos and videos of its users due to a major security flaw.
The bug was reported to the app’s creators by researchers in August, who imposed a 90-day deadline to fix the issue.
After that date passed without hearing back, the team at Chicago-based cyber firm Trustwave shared the results online.
In a blog post detailing the findings last week, researchers warned that Go SMS Pro publicly exposes media files sent between users of the app.
“This exposure includes private voice messages, video messages, and photos,” they wrote.
“Any sensitive media shared between users of this messenger app is at risk of being compromised by an unauthenticated attacker or curious user.”
Trustwave said the flaw was discovered with Go SMS Pro version 7.91, though older and future versions are believed to be impacted too.
Like other messaging apps, Go SMS Pro – one of the Google Play Store’s most popular messaging apps – allows users to send files to one another.
However, unlike other apps, an issue arises when a Go SMS Pro user sends something to another Android user who doesn’t have this app installed.
When this happens, Go SMS Pro creates a webpage that is shared with the receiver via SMS so they can view the file.
However, Trustwave researchers found these web addresses are easy to guess, particularly as they are created sequentially.
All a hacker would need to do to access your files is predict the URL attached to your files to view them without your permission.
“A malicious user could potentially access any media files sent via this service and also any that are sent in the future,” Trustwave said.
How to stay safe from hackers
- Protect your devices and networks by keeping them up to date: use the latest supported versions, use anti-virus and scan regularly to guard against known malware threats.
- Use multi-factor authentication to reduce the impact of password compromises.
- Tell staff how to report suspected phishing emails, and ensure they feel confident to do so, investigate their reports promptly and thoroughly.
- Set up a security monitoring capability so you are collecting the data that will be needed to analyse network intrusions
- Prevent and detect lateral movement in your organisation’s networks.
“This obviously impacts the confidentiality of media content sent via this application.”
Trustwave said the elusive makers of the app have not responded to multiple emails sent by researchers since August 18.
As a result, the vulnerability still exists and presents a risk to users. The app is still live on the Google Play Store.
Trustwave urged users of the app to avoid sending media files that they want to keep private or that contain sensitive data until the issue is resolved.
n other news, a WhatsApp update ‘drains battery’ on Android phones, furious users claim.
Americans mysteriously received texts from ‘dead husbands, pals and parents’ in bizarre nationwide phone bug.
And, if you have an iPhone, you should update to the new iOS 13.2.2 to boost your phone signal and app loading times.
Are you worried about cyber criminals? Let us know in the comments…
We pay for your stories! Do you have a story for The Sun Online Tech & Science team? Email us at [email protected]
This post first appeared on Thesun.co.uk