Paranoid Android: Antivirus app-makers resolve MitM vulnerability

Attack loophole in Panda app sealed

By John Leyden

Posted in Security, 10th May 2017 12:00 GMT

An Android anti-malware application from Panda Mobile Security has been updated after researchers discovered that an insecure update mechanism left users vulnerable to man-in-the-middle attacks.

Tom Moreton, a security researcher at Context, found that an insecure update mechanism in the product, which is available via Google Play, could be exploited to allow an attacker in a position to modify network traffic to inject their own functionality into the application.

Context’s findings were reported to the Spanish security firm, which fixed them in a recent version. A spokesman for Panda Security confirmed this, telling El Reg that "Panda Android apps for consumer and corporate security have all been updated to remove this potential vulnerability".

Panda Mobile Security has clocked up more than a million downloads. Context analysed the security of the product on the back of recent research by Google Project Zero team, and specifically that of Tavis Ormandy, into the security of desktop anti-malware packages.

Context, at least, is yet to find flaws in other mobile anti-malware products. Its thesis that mobile anti-malware packages are just as riddled with bugs as their desktop counterparts nonetheless seems more than plausible. ®

Sign up to our NewsletterGet IT in your inbox daily

Post a comment

More from The Register

Dawn of The Planet of the Phablets in 2019 will see off smartphones

Anything smaller than 5.5 inches just won't satisfy, especially in China

Samsung gains ground on smartphones

Emerging markets are where it's at

Baidu puts open source deep learning into smartphones

Computer vision, deep learning, and the camera in your phone

Fujitsu looking to flog its smartphones biz – report

How's that 'digital transformation' going?

Smartphones' security enhancements just make them more dangerous

Is that incriminating data in your pocket or are you just pleased to see me?

OnePlus privacy shock: So, the cool Chinese smartphones slurp an alarming amount of data

Are we shocked? *Cough* Google, Apple *Cough*

New York Police scrap 36,000 Windows smartphones

Bonkers buy-up by bungling billionairess

Dolphins inspire ultrasonic attacks that pwn smartphones, cars and digital assistants

Flipper heck!

Curb your enthusiasm, 'India's smartphones are changing the world' fans

First 30-million smartmobe quarter ever just happened, but feature phones still sell more

Humanity will only buy 47 smartphones per SECOND in 2016

Last year we bought 44 per second, but growth has slowed so its frowning time