Popular Android Messaging App Possesses Flaw That Exposes Private User Messages

Joanna Estrada
November 21, 2020

GO SMS Pro, a popular messaging app for Android with over 100 million installs, has been found to have an unpatched security flaw that publicly exposes media transferred between users, including private voice messages, photos, and videos.

What's truly concerning is that the security researchers over at Trustwave informed the chat app's developer about this issue three months ago, but after not receiving a response to any of their numerous emails they chose to go public with this so that users can be informed and can avoid using this app or at the very least sharing any kind of multimedia through it.

Recently we reported on VivaVideo, yet another app available on Google Play that could put Android users at risk, by attempting to initiate premium subscriptions and delivering "invisible ads", essentially stealing money from the user. If you're one of the many millions of people who have already installed it, stop using the app and delete it-and tell any contacts who use it to do the same. The app was having a flaw of leaking messages which are shared between the users. Even after informing about the flaw, they had done nothing to fix the bug.

"As a result, a malicious user could potentially access any media files sent via this service and also any that are sent in the future", the researchers noted.

After reports came out, Google did not take any action and just removed the app from Google Play Store.

Trustwave's researchers said that it is trivial to create a simple script that would quickly generate a list of addresses linking to photos and videos shared using this vulnerable app.

Users are still advised to upgrade to the latest version, in the hope that it addresses the bug, and also avoid using the application for a while as "it is highly recommended to avoid sending media files via the app that you expect to remain private or that may contain sensitive data, ., at least until the vendor acknowledges this vulnerability and remediates it", SpiderLabs commented. But the researchers found that these web addresses were sequential. However, the China-based company didn't respond and confirm whether the issue was fixed. If the other user is not using the app, then you can send a link to them with a regular SMS, and then the user can view the file in the browser. They can also connect to your Instagram DMs if you update your Instagram app, and you have the option to encrypt your conversations.

"If the recipient has the GO SMS Pro app on their device, the media would be displayed automatically within the app", Tan said.

Other reports by Click Lancashire

Discuss This Article