Mobile App Privacy and Abuse of OS-Level Permissions
Independent research found systemic privacy gaps in Chinese smart home iOS apps, particularly around bystander privacy (people captured by cameras/mics who are not the account owner). A review of 49 apps in Apple’s mainland China App Store reported frequent mismatches between App Store privacy labels, privacy policies, and in-app settings, alongside broad collection of sensitive data and permissions (e.g., location, camera, microphone, contacts, Bluetooth, notifications) and identity-linked registration requirements (phone number + SMS verification).
Separately, a technical proof-of-concept demonstrated how Android’s AccessibilityService can be abused as a “single-toggle” path to near-total device control without rooting or exploiting a vulnerability. The write-up describes rapid, silent enablement/abuse patterns that can lead to permission-like capabilities (screen capture, keylogging, gesture injection, data access, and remote control via a browser-based C2), highlighting how this legitimate accessibility feature is leveraged by stalkerware/monitoring ecosystems and why existing coverage often understates the practical impact.
Sources
Related Stories
Widespread Privacy Risks from Mobile App Data Practices and Regulatory Age Verification Requirements
A recent large-scale analysis of 50,000 mobile applications has revealed that over 77% of these apps leak personally identifiable information due to insecure data handling and insufficient privacy controls. The study found that many iOS applications fail to include required privacy manifests, while Android apps often circumvent explicit data-safety disclosures, creating significant blind spots in user privacy protections. These vulnerabilities are particularly concerning given the central role mobile devices play in daily communications and financial transactions, making users susceptible to tracking, profiling, and data theft. The research underscores the systemic nature of privacy risks in the mobile app ecosystem, with both platforms exhibiting gaps in transparency and compliance. In parallel, regulatory efforts to protect minors online are introducing new privacy challenges, as exemplified by Texas's SB 2420 law, which mandates age assurance for app store users and developers. Apple has voiced strong concerns that such laws require the collection and storage of sensitive personal information, such as government IDs, even for benign app downloads, thereby increasing the risk of data breaches. Starting January 1, 2026, Apple will require new account holders to confirm they are over 18, and minors will need parental consent for app downloads and purchases, further expanding the amount of sensitive data collected. Apple argues that these requirements should be limited to apps where age verification is truly necessary, warning that blanket mandates could have unintended privacy consequences. The complexity is heightened by the patchwork of state-level laws, with similar regulations set to take effect in Utah and Louisiana, compelling developers to adapt to varying compliance standards. The risks of such data collection are not theoretical; a recent breach at a third-party provider for Discord, which handled age verification, resulted in the exposure of sensitive government ID images. This incident illustrates the tangible dangers of accumulating large repositories of personal data for regulatory compliance. The convergence of insecure app data practices and regulatory-driven data collection amplifies the threat landscape for mobile users. Both industry and regulators face the challenge of balancing user safety, especially for minors, with the imperative to minimize unnecessary data exposure. The findings highlight the urgent need for stronger privacy-by-design principles in app development and more nuanced regulatory approaches that do not inadvertently increase user risk. As mobile platforms continue to evolve, ongoing vigilance and collaboration between stakeholders will be essential to safeguard user privacy. The situation calls for immediate action from app developers, platform providers, and policymakers to address these multifaceted privacy threats. Users are advised to remain cautious about the permissions they grant and the information they share with mobile applications. The broader industry must prioritize transparency, user control, and robust security measures to restore trust in the mobile app ecosystem.
5 months agoAndroid Mobile Apps Expose Sensitive User Data Through Security Weaknesses and Side-Channel Attacks
Researchers have uncovered significant security and privacy issues in Android mobile applications, particularly those in the healthcare sector. A comprehensive study analyzed 272 healthcare-related Android apps, revealing that many transmit sensitive user data without encryption, store files insecurely, or share information with third-party components without adequate safeguards. The research team employed multiple static analysis tools, including MobSF, RiskInDroid, and OWASP Mobile Audit, to assess the security posture of these apps. MobSF identified weaknesses in permissions, network handling, certificate management, and manifest configuration, with app security scores ranging from 35 to 60 out of 100. RiskInDroid found that 150 apps used undeclared permissions, potentially creating hidden channels for data exfiltration, and flagged proprietary permissions that could bypass standard Android security controls. The OWASP Mobile Audit of 95 apps detected issues such as unencrypted local storage, hardcoded credentials, and missing input validation, mapping these weaknesses to the OWASP Mobile Top 10 categories. In parallel, researchers have demonstrated that some Android apps can bypass operating system permissions to access sensitive data through hidden methods and side-channel attacks. One such attack, dubbed 'Pixnapping' and tracked as CVE-2025-48561, allows a malicious app to capture screen display pixels, potentially exposing sensitive information like two-factor authentication codes. The Pixnapping attack was demonstrated on multiple devices, including Google Pixel 6 through 9 and Samsung Galaxy S25, and is conceptually similar to a 12-year-old browser-based data-stealing technique. Despite previous attempts by Google to address this vulnerability, researchers showed that the flaw remains exploitable on Android versions 13 to 16. The ability of apps to sidestep permissions and leverage hardware side channels raises serious concerns about the effectiveness of current Android security controls. These findings highlight the urgent need for stronger app vetting processes, improved permission management, and enhanced user awareness regarding the risks of installing mobile applications. The exposure of sensitive healthcare data is particularly alarming, given the potential for identity theft, fraud, and privacy violations. Security experts recommend that users exercise caution when granting permissions to apps and that developers adhere to best practices for secure coding and data protection. The research underscores the importance of regular security assessments and updates to address emerging threats in the mobile ecosystem. Industry standards such as the OWASP Mobile Top 10 provide a useful framework for identifying and mitigating common vulnerabilities. The ongoing discovery of new attack vectors, such as Pixnapping, demonstrates that attackers continue to innovate, necessitating a proactive and layered approach to mobile security. Organizations handling sensitive data, especially in healthcare, must prioritize mobile app security to protect user privacy and comply with regulatory requirements. The convergence of insecure app design and advanced attack techniques poses a growing threat to the confidentiality and integrity of user data on Android devices.
5 months ago
Mobile App and Malware Risks: AI Chat Data Exposure and New Android/iOS Spyware
The *Chat & Ask AI* mobile app reportedly exposed a large volume of private user conversations due to an insecure Google Firebase backend configuration that allowed unauthorized access by effectively letting anyone present as an “authenticated” user. Reporting indicates the exposed dataset included roughly **300 million messages** tied to **25+ million users**, with logs containing full chat histories, timestamps, user-defined AI companion names, and model/configuration details (e.g., use of ChatGPT/Claude/Gemini via the wrapper app). Sampled content included highly sensitive and potentially harmful queries (e.g., self-harm, illegal drug manufacturing, and hacking), creating significant privacy and safety risk even though the underlying third-party AI model providers were not reported as compromised. Separately, researchers described two emerging mobile malware threats: **ZeroDayRAT**, a commercially advertised spyware platform sold via Telegram that claims broad Android/iOS support and provides operators with extensive device telemetry and hands-on capabilities (e.g., notification/SMS capture, OTP interception for 2FA bypass, keylogging, camera/microphone activation, GPS tracking, and crypto theft modules); and **GhostChat**, an Android malware family distributed as trojanized APKs mimicking popular chat apps (including WhatsApp) that injects into app processes to intercept messages, steal credentials, and exfiltrate contacts/media. An unrelated item reported that *AI.com*’s Super Bowl-driven traffic surge caused a service outage attributed to Google rate limiting, but it did not describe a security incident or compromise.
1 months ago