Mobile security firm Appthority discovered a new vulnerability among iOS and Android apps that has compromised millions of text messages, phone calls, and voice recordings.
The vulnerability, which was given the name Eavesdropper, can be exploited by hackers, but the blame for the bug falls on careless developers.
What Does The Eavesdropper Bug Do?
In its report on the Eavesdropper vulnerability, Appthority noted that the bug gives hackers the ability to access text messages, phone calls, and voice recordings in nearly 700 iOS and Android apps.
About 33 percent of the apps are business-related, and more than 170 of them are currently available in Apple's App Store and the Google Play Store. The affected Android apps have been download up to 180 million times, while the figure is unknown for affected iOS apps.
Examples of apps that have the Eavesdropper bug include an app for secure communications within a federal law enforcement agency, an app that allows the sales team of a company to make audio recordings and make real-time annotations to discussions, as well as branded and white label navigations apps for customers that include AT&T and U.S. Cellular.
The Eavesdropper vulnerability is a major one due to it being easily exploitable for hackers. The information that the hackers can acquire from taking advantage of the bug also add to its seriousness, as they can acquire confidential knowledge about a company's confidential matters.
Careless Developers Blamed For Eavesdropper Bug
The Eavesdropper bug does not require a jailbreak or a root on a smartphone, does not exploit a vulnerability in an operating system, and does not launch its attack through the installation of malware.
Eavesdropper, instead, is caused by careless developers who failed to follow the security guidelines of cloud communications platform Twilio. The Twilio Rest API or SDK allows developers to easily add messaging and calling features into their apps. However, some developers that used the API left behind their user credentials in the code, which will allow hackers to access all the metadata stored in their Twilio accounts. This includes all the communications done through the compromised apps.
Appthority discovered Eavesdropper back in April and told Twilio about it in May. Twilio has since reached out to the developers behind the affected apps and are helping them apply the necessary security protocols.
The mobile security firm, however, cautioned that the problem might not be limited to only apps created with Twilio. It claims that the hard coding of credentials is a common developer error, so the other apps made by the careless developers may also have some security issues.