An unsuspecting Android app named WiFi Finder, installed by tens of thousands of Google Play users, reportedly leaked more than 2 million Wi-Fi network passwords.

Used for locating and connecting public Wi-Fi hotspots that are closer to users, the app’s security breach and privacy problems emanated from a community feature that invites users to share hotspots they could find nearby.

Users were obviously trapped by the app’s description that urged them to “be social and share your Wi-Fi hotspots. Add your Wi-Fi network and update.”

A feature allowing users to upload network passwords is another popular feature of the app WiFi Finder.

The app of Chinese origin wants users to share information and build a mutually supportive Wi-Fi community.

Threat found by security analyst

The security risk was found out by cyber researcher Sanyam Jain, associated with the GDI Foundation.

He presented the matter to TechCrunch and noted the database of uploads has been “left exposed and unprotected, allowing anyone to access and download the contents in bulk.”

It is being reported that thousands of exposed Wi-Fi passwords belong to networks based in the U.S.

“Although the app's developer claims the app only provides passwords for public hotspots, the data shows countless home Wi-Fi networks” Tech Crunch’s Whittaker pointed out.

However, the exposed data has no detailed contact information of the Wi-Fi network owners but names of Wi-Fi network, exact geolocation, and passwords in the plaintext are freely available.

Risk of abuse from exposed data

Security threat is heightened by the fact that the app needed no permission from network owners and can expose Wi-Fi networks for unauthorized access.

An attacker, after gaining access to a network can modify router settings to lure users into malicious websites by making changes in the DNS server. Once the access is gained by an attacker, he can scan the unencrypted traffic in the wireless network and steal passwords and other secret information.

According to analysts, the risky app’s developers have ignored even the basic security hygiene of not storing unencrypted passwords.

Also, the app does not distinguish between public hotspots and home Wi-Fi networks. That triggered the exposure of home Wi-Fi networks to the attention of threat actors.

Android malware
Some malware families are designed to attack Android devices. GABRIEL BOUYS/AFP/Getty Images

Database removed

After media reports, the database has been taken offline by the cloud company although the developer is yet to respond.

If any user has shared his password and Wi-Fi information via the app’s community upload function, it is time to immediately change the Wi-Fi password.

The incident is also a wakeup call against downloading apps from untrusted developers. It also compels to heighten the vigil about keeping Wi-Fi network details secret to avoid future risks.