The failure of mobile application developers to patch critical secure sockets layer (SSL) vulnerabilities could potentially impact millions of mobile phone users, according to McAfee Labs Threats Report: February 2015. It said that in September 2014, Computer Emergency Response Team (CERT) at Carnegie Mellon University released a list of vulnerable mobile applications and McAfee Labs in January tested the 25 most popular apps on the list.
During the tests, it was found that 18 have still not been patched despite public disclosure, vendor notification, and, in some cases, multiple version updates addressing concerns other than security.
The report said most downloaded vulnerable app in this group is a mobile photo editor with between 100 million and 500 million downloads. The app allows users to share photos on several social networks and cloud services.
"McAfee Labs researchers simulated man-in-the-middle (MITM) attacks that successfully intercepted information shared during supposedly secure SSL sessions. The vulnerable data included usernames and passwords and in some instances, login credentials from social networks and other third party services," it said.
Although there is no evidence that these mobile apps have been exploited, the cumulative number of downloads for these apps ranges into the hundreds of millions, the report said. "Given these numbers, McAfee Labs findings suggest that the choice by mobile app developers to not patch the SSL vulnerabilities has potentially put millions of users at risk of becoming targets of MITM attacks," it added.
McAfee Labs also warned of increasingly aggressive potentially unwanted programs (PUPs) that change system settings and gather personal information without the knowledge of users. McAfee Labs reported that mobile malware samples grew 14 per cent during the fourth quarter of 2014, with Asia and Africa registering the highest infection rates.