Google Play app “Peel Smart Remote” leaks users’ pictures by The Pradeo Lab

The Peel Smart Remote app is a widely used Google Play application (100M+ installs) that has often made the news because of its highly intrusive behaviors, such as full screen overlays and untimely advertising, causing poor user experience.

Last week, the Pradeo Security engine alerted its users about severe security issues discovered in the app’s 10.7.3.3 version. It has been found that the application collects and leaks users’ pictures to a server that does not belong to the app publisher. Last Friday, the application was updated on the Google Play store (now version 10.7.4.2), the leaky behavior has been removed from the code but yet no communication was made by the company on this matter. Because applications’ update is not automatic on all Android devices, millions of users running the former version of the app are still currently exposed.

Pictures leaked to an externally owned server

The Peel Smart Remote 10.7.3.3 version is programmed to send pictures contained in devices’ external storage to a server that does not belong to Peel Technologies. To prevent pictures from being breached, the Pradeo Lab advises anyone who uses this application to update it to its latest available version.

Data collection

Data sending

A massive list of permission requests

To access users’ pictures, the Peel Smart Remote application uses the following permissions:

Android.permission.WRITE_EXTERNAL_STORAGE
Android.permission.READ_EXTERNAL_STORAGE

According to the official Android app developers’ documentation, “External storage is the best place for files that don’t require access restrictions and for files that you want to share with other apps or allow the user to access with a computer”. By writing anything on external storage, the Peel Smart Remote app highly exposes its users’ data. By reading it, it accesses users’ pictures, video, audio and any other files stored on it.

Besides, it’s interesting to note that the application asks for critical permissions providing access to the camera, the contact list, the calendar and even allowing to record the audio. Although, these permissions don’t seem to be required for the use of the remote.

Android.permission.CAMERA
Android.permission.READ_CONTACTS
Android.permission.READ_CALENDAR
Android.permission.RECORD_AUDIO

Peel Smart Remote permission requests

Other sensitive information sent over the network

To finish, it appears in the report provided by the Pradeo Security engine that the application collects personal information such as users’ age, ethnicity, income, political orientations, etc., and sends them over the network.

Data collection

 

Data sending

 

The original code of the Peel Smart Remote is obfuscated by a tool (Proguard) that changes the functions’ name by letters, making them harder to understand at a human scale. In the 2 last screenshots, we replaced the obfuscated names by words describing the functions, to ease the understanding.

Application ID

Package name: tv.peel.smartremote

Version: 10.7.3.3

Installs: 100M+

Developer: Peel Technologies


Originally posted: https://blog.pradeo.com/google-play-app-peel-smart-remote-data-leakage 

 

April 12, 2019

Leave a Reply

avatar

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
Notify of
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013