A bug in the GO SMS Pro app for Andriod users has affected millions of users as underground forums begin to actively share images and data stolen from the app’s servers. The app has been downloaded 100 million times and contains a high-level flaw that allows an attacker to access private voicemails, videos, and photos sent through the messaging app. GO SMS Pro has published two new versions of the application on Google Play since the flaw was disclosed, however, neither of the updates fixes the initial issue.
Exploitation tools are also being released in the wild for the bug, meaning that cybercriminals with less experience may be able to perform the exploit as well. When a user sends a message through GO SMS Pro, the app does not require authentication to view the content, so anybody with the link can view it. This creates a storm of security issues, including that links can be guessed by malicious actors who then need to authority to download the multimedia file. However, it is not directly possible to connect the media to specific users, according to security firm Trustwave.