Skype today revealed today that data from its Android app is vulnerable, this only comes after the user mistakenly installed a malicious third-party app to their Android device.
During a last month take down, Google removed 21 applications from the Android Market after being alerted that the applications contained malicious code and were being used to steal user data. After the removal Google used their fancy kill switch to remove the applications that were already installed onto the devices and were actively stealing data.
Skype said in a blog post that it has only recently became aware that personal information may have been stolen from the malicious applications. Items including cached profile information and instant message logs could have been accessed by the applications. This security hole was not noticed until earlier this week by Android Police.
To reiterate, this vulnerability only affects devices that have the Skype for Android installed and have previously installed one of the 21 malicious applications from the Android Market. Even if you had one of the bad applications installed on your device there is no way to know if this information was accessed. Any users who downloaded these apps should immediately change their password and check their Skype messages for sensitive information that could have been revealed.
Skype says that they are working hard to protect users from this vulnerability and any future attempts. Updates coming to the app will secure file permissions inside Skype for Android so data isn’t accessible from apps to gain root access.
The impact from this vulnerability is minor, but is a reminder that mobile apps aren’t as secure or safe as we make them out to be. No matter the size of the company, all mobile developers should practice in a sandbox environment and should encrypt all user data to protect information from unauthorized access.