An Android app with over 5 million installs exposed its users to widespread data theft by reportedly leaving its Firebase instance open.

The app in question is called Web Explorer – Fast Internet, and, as the name suggests, it was meant to help improve browsing speeds on mobile devices by up to 30% and had a 4.4-star rating.

The app developer left their database exposed, and it contains several days' worth of private browsing information Cybernews reported. This means that any malicious actor could exploit and access the sensitive data.

It's important to note that the app data is still anonymous. However, it could easily be de-anonymized by cross-referencing other data sets. This would expose users to far more privacy risks than might have been the case otherwise.

"If threat actors could anonymize app users, they could check a bunch of information about a specific user's browsing history and use it for extortion," said the researchers' team from Cybernews.

Your personal data is at risk

When an app developer fails to secure their database and leaves it exposed, hackers can access users' private data leading to problems like identity theft and financial loss for the app's users. The developer could be liable for damages if the exposed data is used to harm users.

How does it work?

  • The hacker could gain access to the private data of the app users for malicious purposes.
  • The app could be subject to legal action if the data breach is deemed to be the developer's fault.
  • The app could be banned from app stores or removed from user devices if flagged as malicious.
  • The reputation of the app could be damaged if news of the data breach gets out.

What to do next?

If you have downloaded the malicious Web Explorer app, there are a few things you can do to protect yourself.

  • Change your passwords immediately, especially if you use the same password for multiple accounts.
  • Enable two-factor authentication on all of your accounts that offer it. This will help protect your accounts even if your passwords are compromised.
  • Check for suspicious activity on your financial accounts. If you see anything unusual, report it to the company immediately.
  • Be cautious of any emails, texts or calls that claim to be from the company whose data was hacked.
  • Do not click on any link or provide any personal information unless you are sure it is safe to do so.
  • Keep an eye on your credit report and credit scores. If you see any unexpected activity, report it to the appropriate credit bureau.
  • Use a credit monitoring service to help protect your identity and keep track of any changes to your personal information.
Android
Pixabay