Contents

Addressing the Hidden Dangers of Abandoned Android Apps

The digital landscape is constantly evolving, and with it, the threats to our online security. A growing concern for Android users stems from applications that have been abandoned by their developers, leaving critical security vulnerabilities unpatched. Without essential updates, these apps can pose significant security risks, often without users even realizing the danger.

This issue highlights a broader challenge faced by Google concerning applications available in its Play Store and underscores the proactive solutions it plans to implement.

The Growing Threat of Unmaintained Applications

Critical Vulnerabilities in Popular Remote Control Apps

Researchers from the Synopsys Cybersecurity Research Center (CyRC) have issued a warning regarding three specific Android applications. These apps—Telepad, PC Keyboard, and Lazy Mouse—allow users to control their computers remotely using their smartphones as a keyboard and mouse.

According to the report, these programs collectively account for approximately 2 million installations. They contain a series of identified vulnerabilities, referenced by CVE-2022-45477 through CVE-2022-45483. Several of these vulnerabilities have received a critical rating of 9.8 on the Common Vulnerability Scoring System (CVSS) scale, indicating their severe potential impact.

The core problem is that these applications are no longer actively developed. Their creators have not responded to researchers’ reports nor provided crucial security updates. This leaves users with these apps installed unknowingly exposed to significant risks, highlighting a systemic issue for Google and the wider Android ecosystem.

A Deeper Look into Android’s Security Debt

Widespread Vulnerabilities Across the Ecosystem

A comprehensive report by Quokka reveals that the Android ecosystem is heavily burdened with known Common Vulnerabilities and Exposures (CVEs) and outdated, unpatched components. These vulnerabilities are present not only within applications themselves but also in third-party libraries they utilize. This situation creates a substantial “security debt” that, in some cases, extends back more than a decade.

Approximately 11% of analyzed Android applications contain components with critical CVEs.
A staggering 65% include vulnerabilities classified as high severity.

Many of these issues are not new or obscure; they are well-documented, widely understood, and largely preventable using existing tools and security practices. The problem is systemic:

29 Android apps contained a high-severity CVE originally disclosed in 2009.
1096 Android apps included critical CVE code first revealed in 2017.
445 Android apps featured critical CVE code initially disclosed in 2018.
523 Android apps contained critical CVE code first exposed in 2019.

The same libraries—such as older versions of frameworks, parsers, advertising SDKs, or analytics tools—are reused across hundreds of applications. This means that a single CVE in a popular module can lead to widespread exposure across the entire Android ecosystem. It’s crucial for users to understand the risks associated with installing apps from unverified sources, even when sideloading. Such practices can bypass Google Play Protect’s safeguards, further exposing devices to vulnerabilities.

Google’s Proactive Approach: New Warnings in the Play Store

Enhancing User Awareness with Play Protect

Historically, Google Play Protect primarily focused on alerting users to overtly malicious applications, such as malware, scams, or apps violating core security policies. However, if a developer chose to remove an app from the store or simply ceased updating it, users received no direct notification, leaving them in the dark about potential security risks.

To address this critical gap, Google is developing a new feature for the Play Store. This feature aims to notify Android users if an installed application has been removed from the store and will no longer receive updates, which could signal a significant threat to data security.

Independent researchers have observed references to these “abandoned app” notifications within the code of the Play Store application (including version 51.4.19). The alert message is expected to clearly state something along the lines of: “This app has been removed from Google Play and will no longer receive updates.” This clear communication will empower users to quickly identify and address the use of unmaintained software. This new feature is a step towards mitigating threats, much like ongoing efforts to counter sophisticated malware such as the BeatBanker malware, by ensuring users are better informed about the security posture of their installed applications.

Frequently Asked Questions (FAQ)

What are “abandoned apps” and why are they a risk?

Abandoned apps are applications that are no longer actively updated or supported by their developers. They pose a significant risk because they often contain unpatched security vulnerabilities (CVEs). Without updates, these flaws can be exploited by malicious actors, potentially leading to data breaches, device compromise, or other security issues for users who still have them installed.

How serious are the security vulnerabilities found in abandoned apps?

The severity varies, but many have been rated as “critical” on the CVSS scale, with scores as high as 9.8. This indicates that they are easy to exploit and can lead to significant impact, including full system compromise or data theft. Researchers have identified hundreds of apps containing critical and high-severity CVEs, some of which have been known for over a decade.

How will Google inform users about abandoned apps?

Google is implementing a new feature in the Play Store that will provide direct notifications to users if an installed app has been removed from the store and is no longer receiving updates. These warnings aim to clearly inform users about the status of their apps and the potential security implications, helping them decide whether to uninstall or seek alternatives.

What should I do if I receive a warning that one of my apps is abandoned?

If you receive a notification that an app you have installed is abandoned and no longer updated, it’s strongly recommended to uninstall it immediately. Continued use of such apps can expose your device and personal data to severe security risks due to unpatched vulnerabilities. You should then look for actively maintained alternatives in the Google Play Store.

Source: Android Headlines, BlackDuck, Phone Arena, Quokka.
Opening photo: Image generated by Nano Banana 2.

About Post Author

Anuj Kushwaha

See author's posts

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.