The researchers identified 41 applications in Google’sPlay Marketthat leaked sensitive data as it traveled between handsets running the Ice Cream Sandwich version of Android and webservers for banks and other online services. By connecting the devices to a local area network that used a variety of well-known exploits, some of themavailable online, the scientists were able to defeat the secure sockets layer and transport layer security protocols implemented by the apps. Their research paper didn’t identify the programs, except to say they have been downloaded from 39.5 million and 185 million times, based on Google statistics.
“We could gather bank account information, payment credentials for PayPal, American Express and others,” the researchers, from Germany’s Leibniz University of Hannover and Philipps University of Marburg, wrote. “Furthermore, Facebook, email and cloud storage credentials and messages were leaked, access to IP cameras was gained and control channels for apps and remote servers could be subverted.” Other exposed data included the contents of e-mails and instant messages.