Researchers found numerous applications lacking session cookie validation when transferring data between devices. As observed, this vulnerability allows unauthorized app cloning by an adversary from the victim’s device to its own device via Android device migration tools.
Missing Validation In Numerous Apps Enable Unauthorized App Cloning On Android
According to a recent report from CloudSEK, their researchers observed a serious security risk to Android users posed via phone clone-like features.
As explained, the researchers noticed numerous apps lacking session cookie validation when copying app data to other devices.
Cloning apps is a popular feature on Android devices. Numerous vendors, such as Samsung, Realme, and Oppo, come with built-in device migration tools to facilitate users in transferring apps and phone data to new devices.
While convenient, the inherent lack of session cookie validation allows an adversary to clone apps on its own without the victim knowing. It merely requires the attacker to have physical access to the victim’s device. And if the target device lacks any security locks, such as PIN codes or biometric authentication, copying apps to another device will only take seconds.
For instance, the researchers mentioned WhatsApp as an example which, when cloned, even lets the attacker bypass 2FA because WhatsApp’s secret keys get copied to the new device.
At this point, the only way a user can know if someone has sneakily copied WhatsApp is by using WhatsApp Web, which would load messages from both devices. The user can look for any unrecognized messages sent from their account. Though, this method won’t work if the attacker deletes the relevant conversations.
The researchers demonstrated the attack using two Realme phones, RMX2170 and RMX3660, and some Oneplus and Oppo devices, using built-in migration tools, such as Realme’s Clone Phone. However, this experiment didn’t work on Samsung phones, indicating the device’s resistance to such one-click attacks.
List of apps vulnerable to malicious cloning:
The researchers have mentioned the following most-used apps failing to invalidate session cookies.
- Canva
- BookMyShow
- Snapchat
- KhataBook
- Telegram
- Zomato
- Whatsapp business
- Strava
- Highway Drive
- BlinkIT
- Future pay – BigBazaar now owned by Reliance
- Adani One
- Clash of Clans, Clash Royal (Supercell)
- Discord
- Booking.com
Regarding the impact of such attacks, the researchers highlight malicious unauthorized access to victims’ accounts, leading to financial damages and reputational losses, as possible consequences.
Since this attack typically exploits the apps’ lack of a key security feature, keeping devices secured with screen locks is the most viable strategy to prevent it. Likewise, the researchers advise users to enable 2FA on all accounts and ensure never to leave their devices unattended in public places.
Let us know your thoughts in the comments.