Thousands of people calling an application called WiFi Finder To identify the public Wi-Fi hotspots and provide login credentials, they inadvertently transferred their own home-user Wi-Fi passwords to the app's database, which has now been leaked online.
Le sigh .
TechCrunch reported Monday that the app, which appears to be in China, has been used by more than 100,000 people to collect more than 2 million Wi-Fi passwords worldwide. The database contains, among other things, network name (SSID), exact geolocation and * clear-text passwords.
The app allows users to upload lists of saved Wi-Fi passwords, but there is no way to distinguish between public hotspots and home networks. In the US alone, thousands of users have apparently not noticed, not to mention the obvious flaws of the app developer.
The database itself was discovered by Sanyam Jain, a security researcher and member of the GDI Foundation, TechCrunch reported.
For more than two weeks, Jain and security reporter Zack Whittaker attempted to connect with the company behind the app, which is listed on Google Play as "Proofusion." They were not successful. Finally, cloud host DigitalOcean stepped in and put the database offline.
The potential consequences of this push, while extreme, are likely to be minimized by the need for attackers to target individual households in the database. (However, this is more likely due to the geolocation data provided by the database.)
An attacker could hypothetically use the credentials to work with router settings, intercept logins, propagate malware across a network, and adopt smart home devices , like security cameras. However, career cybercriminals would probably find this process tedious. Nowadays, it's a lot easier to send a single malicious link to a few million users and see who takes the bait.
What's terrible is the knowledge that so many people continue to download apps developed by companies that no one has ever heard of, giving them access to all sorts of personal information about themselves and others.
For example, when downloading WiFi Finder, users had to give up access to their locations, complete contact lists, ie phone numbers and email accounts of all their friends and family members, and in some cases their birthdays and social media profiles – too For no particular reason, data on your phones can be read, changed and deleted.
If you did not already know, do not use apps that require these permissions.
Google Play itself is still a total showshow and one of the easiest ways to quickly spread malware masses. For example, researchers in January found that 9 million Android users were infected by dozens of malicious apps. One month ago, another group of researchers found 22 apps downloaded more than 2 million times. In the process, tiny browser windows were opened, advertisements repeatedly clicked and the users' batteries were exhausted. Last month, Google deleted around 200 adware-infected apps, which were downloaded almost 150 million times. The list goes on.
While it is true that well-known companies may also lose user data or simply be misused – if you have a Facebook product installed on your phone and bless your heart – users can reduce the risk that an attacker will outsmart and / or an untrusted app by naming (at least) Google the name of the app developer, as you might offer to help select a mechanic, electrician, or someone you spoke to.
You should be particularly skeptical if you are offered a free service. If a random person has offered to repair the breaks on your car for free, you would probably decline (I would hope). Downloading a random app with this level of access to your data is just like unlocking your phone and giving it to a stranger in the mall.