The private data of Google users was vulnerable to cyberattackers via Google’s app on Android users’ phones, according to mobile app security company Oversecured.
Google acknowledged the vulnerability and said it rolled out a fix to the problem last month.
Oversecured said Thursday it discovered problems with the Google app’s code while working to secure pre-installed apps on Android devices.
The issue with Google’s code made the data accessible in its app available to cyberattackers, including users’ search history, mail from Gmail, contacts, call history, access to read and send messages, and much more.
“The attacker’s app needed to launch only once for this attack to succeed,” said Oversecured on its blog. “After that, even if the app was removed, the malicious functionality would continue to be present in the Google app independently. Moreover, the attack did not require any user consent or notice.”
Google said its Google Play Protect product detects and blocks such malicious apps and the company is not aware of cyberattackers exploiting the vulnerability.
The company also said it delivered its fix to users in early May and touted Oversecured‘s participation in its Vulnerability Rewards Program that provides financial incentives for security researchers to uncover problems in Google products.
“We are appreciative of Oversecured and the broader security community’s participation in these programs,” said a Google spokesperson in a statement. “We rolled out a fix to our users more than a month ago and have not seen any evidence of exploitation.”