Report: Sonic the Hedgehog Android Games Leaking User Data

The Sonic the Hedgehog games have been downloaded hundreds of millions of times. Now, reports are surfacing that the games could be leaking user data.

Three games featuring Sega’s famous hedgehog is the latest discovered source for personal information. That’s according to one security source. One of these games have been downloaded up to 100 million times. As it turns out, personal information is being sent unencrypted to uncertified servers.

The games in question are Sonic Dash, Sonic the Hedgehog Classic, and Sonic Dash 2: Sonic Boom. According to rough statistics, these games have been collectively downloaded up to 600 million times.

SC Magazine is pointing to a report on Pradeo which says the following:

Lately, the Pradeo Lab noticed an increase in the amount of official apps fooling their users into giving them access to data they don’t actually need. In most of the cases, when installing an app from Google Play, users accept permissions without giving a second thought. As a result, publishers collect private information about their clients, such as geolocation, device data, users data (gallery, contact lists, browser history, SMS…), etc.

In this case, the 3 SEGA apps collect and leak geolocation and device data to several distant servers, including suspicious ones.

Among the distant servers reached by the affected SEGA apps when sending data, we can see that most have a tracking and marketing purpose. However, what caught Pradeo’s researchers attention is the fact that these apps are sending information to 3 uncertified servers of which 2 are a variant of Android/Inmobi.D, and represent a potential threat.

Among the vulnerabilities detected in the analyzed SEGA apps, we identified two critical ones that make them highly vulnerable to Man-In-The-Middle attacks (X.509TrustManager and PotentiallyByPassSslConnection). The other OWASP vulnerabilities detected can result in denial of service, sensitive data leakage and clearly show encryption weaknesses.

The security researchers further expressed concern on the issue and spoke to Threat Post:

“It’s a ticking time bomb,” Raoul told Threatpost. He said unverified servers are fertile ground for attackers to collect the type of recognizance needed to both identify juicy targets and attack them with tailor-made exploits.

Sega America did not return multiple Threatpost requests for comment.

“The use of the faulty Android/Inmobi.D library is not unique. There are thousands of Android applications using a variant of Android/Inmobi.D,” Raoul said.

Researchers said each of the Sega apps contained 15 Open Web Application Security Project (OWASP) flaws.

Apparently, Sega has been notified of the issue, but it seems nothing has been made public as of yet. We surveyed Sega’s twitter feed, official blog, and forums, but no mentions of the vulnerabilities were found.

Drew Wilson on Twitter: @icecube85 and Google+.