Android messaging app with 100M users found exposing messages

According to the Play Store, the Go SMS Pro app is highly popular among Android users with more than 100 million users.

It is a common occurrence when apps and websites are found to have vulnerabilities that eventually get patched – the typical story in the cybersecurity world. In the latest, another such incident has occurred where a flaw has been found in an Android messaging app with over 100 million installations named GO SMS Pro.

The flaw is based on the most sensitive part of any messaging app in that it exposes the transmitted messages between users comprising of texts, voice notes, photos, and videos.

Discovered by researcher Richard Tan from Trustwave Security, the flaw is believed to have started from the app’s version 7.91 released on February 18 earlier this year. However, earlier and subsequent versions may include it as well even if this is not confirmed.

To see how the flaw works, we need to understand the messaging feature within the application.

To start with, when 2 Go SMS Pro users send each other a massage, it is displayed to them just like you would see a Whatsapp message right within the app. However, what happens when the recipient is not an app user?



In that case, the sender’s message would be sent as a link to the recipient’s sim. This is where the problem starts. That link irresponsibly can be accessed by anyone who gets a hold of it rather than just the one using the recipient’s sim.

Adding to this, if you share media files between 2 people who are users of the app, even then a link will be generated. Explaining further the researcher stated in a blog post that:

Browsing to http://gs.3g.cn/D/dd1efd/w would allow the recipient to view the voice message. However, by incrementing the value in the URL, it is possible to view or listen to other media messages shared between other users. For example, accessing http://gs.3g.cn/D/e3a6b4/w would show a photo of a fake driver’s license [sample license showed below].

Using this, attackers could pretty easily generate different URLs in order to unauthorizedly access the data of others. Furthermore, once this data is accessed, it could be used to blackmail victims and even conduct further attacks on them involving social engineering.



To conclude, currently, the flaw has not been patched (so much for our typical cybersecurity story) but the researcher has contacted the GO SMS Pro team.

If you are a GO SMS Pro user, it may be wise to stop using the app until then and this holds true for iOS as well as it too may have been compromised even if we’re not sure. In the future, we’ll continue updating you on how the patching process goes.

You may also like...