Go SMS Pro, the popular instant messaging Android app, has been pulled down from Google Play Store. At the moment, Google has not provided any official statement over the app’s unavailability; however the development comes days after the Singaporean cyber-security firm Trustwave had claimed that Go SMS Pro posed serious security threats that risked exposing private photos, videos, and other files exchanged by its users. The security researchers have further stated that the China-based messaging company, Go SMS Pro was informed about the security flaw back in August. The Android app had over 100 million downloads from Google Play before its removal.
As per a report TechCrunch, Trustwave after discovering the security flaw had given Go SMS Pro a 90-day deadline to fix the issue, a standard practice between companies in vulnerability disclosure to allow enough time for a fix. But after the deadline elapsed without hearing back, the security researchers went public to ensure everyone’s security. In a blog post, Trustwave says that the weakness appeared on Go SMS Pro Android v7.91, though it is unclear whether other versions of the app carried the same flaw. The security company explains that Go SMS Pro, like any other messaging apps, allowed users to exchange private media files and messages. Additionally, users without the app could also receive media files through a special link, received via SMS.
However, the security firm had found that accessing links was possible without any authentication or authorisation, meaning that any bad actor with the link, can view the content such as personal photos or videos. Besides, the URL link was sequential (hexadecimal) and predictable, in other words, it was easy to intercept and hack. “When sharing media files, a link will be generated regardless of the recipient having the app installed. As a result, a malicious user could potentially access any media files sent via this service and also any that are sent in the future. This obviously impacts the confidentiality of media content sent via this application,” the security company added.
Tech Crunch report also added that the publication able to verify the finding by Trustwave. The company via the decoded link had access to a user’s phone number, bank transaction screenshot, an arrest record, and more. As mentioned, the Go SMS Pro app has been pulled down from Google Play Store, and the company has also not shared any details over the flaw that was pointed out back in August. Users who are still using the app on their Android smartphone are advised to delete it until more information from either Google or Go SMS Pro.