Thousands of users of an app called WiFi Finder, the stated purpose of which is, obviously, to locate and provide credentials for public WiFi hotspots, inadvertently submitted their own home WiFi passwords to the app’s database, which has now leaked online.
TechCrunch reported Monday that the app—which appears to be based in China, because of course it is—has been used by over a 100,000 people to collect more than 2 million WiFi passwords globally.
The database includes network names (SSID), precise geolocation, and *plaintext* passwords, among other data.
The app enables users to upload lists of stored WiFi passwords, but it has no mechanism to differentiate between public hotspots and home networks. Thousands of users in the U.S. alone apparently failed to notice this, to say nothing of the app developer’s obvious failures.
The database itself was discovered by Sanyam Jain, a security researcher and a member of the GDI Foundation, TechCrunch reported.
For over two weeks, Jain and security reporter Zack Whittaker tried to make contact with the company behind the app, which is listed as “Proofusion” on Google Play. They were unsuccessful. Eventually, cloud host DigitalOcean stepped in and took the database offline.
While the potential consequences of this fuckup are extreme, they are likely minimized by the fact that attackers would need to individually target the households contained in the database. (Although, this is more likely thanks to the geolocation data exposed by the database.)
Hypothetically, an attacker could use the credentials to fiddle with router settings, intercept logins, spread malware across a network, and takeover smart home devices, such as security cameras.
Career cybercriminals would likely find this process tedious, however. It’s far easier these days to spam a single malicious link out to a few million users and see who takes the bait.
What is horrifying is the knowledge that so many people are continuing to download apps developed by companies no one’s ever heard of, granting them access to all sorts of personal information about themselves and others.
Downloading WiFi Finder, for example, required users to surrender access to their locations, full contact lists—meaning phone numbers and email accounts of all their friends and family members, and in some cases their birthdays and social media profiles—as well as, for no particular reason, the ability to read, modify, and delete data on their phones.
If you didn’t already know, do not use apps that demand these permissions.
Google Play itself continues to be a total shitshow and one of the easiest ways to quickly spread malware to the incompetent masses. Researchers in January, for instance, found 9 million Android owners had been infected by dozens of malicious apps.
A month earlier, another group of researchers found 22 apps downloaded more than 2 million times that secretly opened tiny browser windows and repeatedly clicked on ads, draining users’ batteries.
And just last month, Google deleted some 200 apps infected with adware that had been downloaded nearly 150 million times. The list goes on.
While it’s true that major, reputable companies can also leak or simply intentionally misuse user data—if you’ve installed a Facebook product on your phone, bless your heart—users can reduce their risk of getting screwed-over by a malicious and/or untrustworthy app by taking a moment to (at the very least) Google the name of the app developer, as you might when selecting a mechanic, or an electrician, or anyone who’s approached you offering you some kind of service.
You should be particularly sceptical when a service is offered to you free of charge. If a random person offered to fix the breaks on your car for free, you would probably (I would hope) decline. Downloading a random app with this level of access to your data is virtually no different than unlocking your phone and handing it to a stranger at the mall.