An Android anti-malware application from Panda Mobile Security has been updated after researchers discovered that an insecure update mechanism left users vulnerable to man-in-the-middle attacks.
Tom Moreton, a security researcher at Context, found that an insecure update mechanism in the product, which is available via Google Play, could be exploited to allow an attacker in a position to modify network traffic to inject their own functionality into the application.
Context’s findings were reported to the Spanish security firm, which fixed them in a recent version. A spokesman for Panda Security confirmed this, telling El Reg that "Panda Android apps for consumer and corporate security have all been updated to remove this potential vulnerability".
Panda Mobile Security has clocked up more than a million downloads. Context analysed the security of the product on the back of recent research by Google Project Zero team, and specifically that of Tavis Ormandy, into the security of desktop anti-malware packages.
Context, at least, is yet to find flaws in other mobile anti-malware products. Its thesis that mobile anti-malware packages are just as riddled with bugs as their desktop counterparts nonetheless seems more than plausible. ®