There are always going to be security flaws in our electronics. No programmer can think of every type of attack, and hackers are devious at finding new angles. However, you would hope that once a flaw turned up it would at least be fixed, but that's not always the case.
Trend Micro is bringing back to light a flaw that's been known since 2012. In fact, we've written about it on the site several times. It's a problem in the Portable SDK, or libupnp component, of the Universal Plug and Play standard found in some routers, smart TVs, other networked gear and several hundred mobile apps. Essentially, the flaw lets a hacker take over whatever gadget is running the flawed component.
The programmers behind the UPnP standard actually fixed the problem right away, however, many people have older technology that includes it, or manufacturers didn't update their firmware before releasing new models. In fact, just this April we learned that routers were still shipping with the flaw.
Now Trend Micro is finding that at least 300 apps in the Google Play store include the outdated version of the standard. The biggest one is QQMusic, which is in use by 100 million people in China. However, Tencent, the developer, is updating now that it knows it's using an outdated version.
Initially, Trend Micro thought the Netflix app was also affected. While the app does use an older version of UPnP take advantage of code that isn't in the new version, it fixed the flaw on its own.
According to Trend Micro, here are some apps it knows are vulnerable and has actually tested:
|Common Name||Package Name|
|HexLink Remote (TV client)||hihex.sbrc.services|
|HexLink-SmartTV remote control||com.hihex.hexlink|
|Hisense Android TV Remote||com.hisense.commonremote|
|nScreen Mirroring for Samsung||com.ht.nscreen.mirroring|
|Ooredoo TV Oman||com.ooredootv.ooredoo|
|PictPrint – WiFi Print App –||jp.co.tandem.pictprint|
|Smart TV Remote||com.hisense.common|
|에브리온TV (무료 실시간 TV)||com.everyontv|
If you have one of these apps on your phone, it's a good idea to remove it, or see if there's an update.