Until recently, Google’s namesake Android app, which has more than five billion installs to date, had a vulnerability that could have allowed an attacker to quietly steal personal data from a victim’s device.
Sergey Toshin, founder of mobile app security startup Oversecured, said in a blog post that the vulnerability has to do with how the Google app relies on code that is not bundled with the app itself. Many Android apps, including the Google app, reduce their download size and the storage space needed to run by relying on code libraries that are already installed on Android phones.
But the flaw in the Google app’s code meant it could be tricked into pulling a code library from a malicious app on the same device instead of the legitimate code library, allowing the malicious app to inherit the Google app’s permissions and granting it near-complete access to a user’s data. That access includes access to a user’s Google accounts, search history, email, text messages, contacts and call history, as well as being able to trigger the microphone and camera, and access the user’s location.
The malicious app would have to be launched once for the attack to work, Toshin said, but that the attack happens without the victim’s knowledge or consent. Deleting the malicious app would not remove the malicious components from the Google app, he said.
A Google spokesperson told TechCrunch that the company fixed the vulnerability last month and it had no evidence that the flaw has been exploited by attackers. Android’s in-built malware scanner, Google Play Protect, is meant to stop malicious apps from installing. But no security feature is perfect, and malicious apps have slipped through its net before.
Toshin said the Google app vulnerability is similar to another bug discovered by the startup in TikTok earlier this year, which if exploited could have allowed an attacker to steal a TikTok user’s session tokens to take control of their account.
Oversecured has found several other similar vulnerabilities, including Android’s Google Play app and, more recently, apps pre-installed on Samsung phones.
Disrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
The do’s and don’ts of bug bounty programs with Katie Moussouris
