Security researchers are warning users about a critical vulnerability in Android’s GO SMS Pro mobile application that has more than 100 million installs on the Play Store. According to Trustwave researchers, the instant messaging app is exposing the images, videos, and privately shared messages of millions of GO SMS Pro users. If exploited, the flaw could allow cybercriminals to obtain unrestricted access to users’ personal data.
“Any sensitive media shared between users of this messenger app is at risk of being compromised by an unauthenticated attacker or curious user,” Trustwave researchers said.
The vulnerability affects GO SMS Pro v7.91 versions. “It is unclear which other versions are affected but we believe this is likely to affect previous and potentially future versions as well,” the researchers added. Like all messenger apps, the GO SMS Pro app, allows users to send private text and media to other users. If the recipient does not have the app, the text/media file is delivered as a URL via SMS. The user is required to click on the link to view the files via a browser.
It is found that the link can be accessed without any authentication, allowing any user with the link to view the content. It is also suspected that a malicious user can abuse this procedure to access any text/media files sent via this process.
A new version of the app was introduced on the Play Store after Trustwave researchers notified the users about their vulnerability discovery. The researchers stated the new version of the app did not fix the issue.
“It seems like GOMO is attempting to fix the issue, but a complete fix is still not available in the app. For v7.93, it appears that they disabled the ability to send media files completely. In v7.94, they are not blocking the ability to upload media in the app, but the media does not appear to go anywhere. So, it appears they are in the process of trying to fix the root problem,” the researchers concluded.