Even a week after Baba Ramdev’s homegrown Kimbho app, pegged as “competition of WhatsApp”, was taken off app stores, duplicates continue to thrive and pose risks.
A simple search for Kimbho on Google Play Store pulls up about eight apps with different variations of the name Kimbho- “Kimbho Bliss Indian app of Yoga, Meditation, Sleep”, Kimbho Swadesi Indian App, Kimbho, Kimbho Messenger: swadeshi app, etc.
The Apple store also has two apps listed as “Kimbho-Best Quotes & Status”, and “Kimbho- Funny Jokes collection”.
Cybersecurity experts say that while the original app had multiple security issues, the fake ones cropping up are fertile ground for malware and cyber attacks.
“The Indian security community was able to find multiple critical security issues in the Kimbho app within hours of the launch. It was evident that the app was built by developers who had zero idea about security,” said Rahul Sasi, founder and chief technology officer at machine learning based cloud security company CloudSek.
The original app was "developed by newbies, and there was zero security level. Many ports were open, and even chat admin was easy to access," said Manan Shah, founder and CEO of Gujarat based cybersecurity firm Avalance Global Solutions.
He added that even though the data has been removed from the app web domain, there are several test pages that can still be accessed.
Kimbho, which is the Sanskrit equivalent of “what’s up?” was launched by Baba Ramdev’s fast-moving consumer group Patanjali last Wednesday.
However, following backlash from the security community on Twitter, including from a French security researcher who goes by the name of Elliot Alderson, the app was taken off Google Play Store as well as Apple’s app store.
The company cited extremely heavy traffic for withdrawing the app and later also said that the launched app was a trial version. It also warned users against the several fake apps doing the rounds.
Also read:Copycats of Patanjali's Kimbho app crop up on Google Play Store
“Scammers will try any means necessary to trick you into installing a fake app. Criminals use emails and SMS messages that appear to be from your bank, credit card company or other brands to trick people into downloading applications that will compromise their data,” notes security company Norton in a post.
“In the case of Kimbho, the app was storing all users data (messages, personal info) on the server unencrypted, because of this (security researchers) was able to read anyone's messages, personal info, etc. The app developers had zero knowledge about security,” said Sasi.
In a blog, Cloudsek explains how a seemingly harmless application it once found, about Christmas and Santa Claus was accessing contacts, SMS, call records, location information, calendar, camera, camera shots, video, environment recording, browser history, programme information, SIM card information and device status.
The malicious app also had a way to record anything the user spoke upon entering or leaving from a particular area.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
Find the best of Al News in one place, specially curated for you every weekend.
Stay on top of the latest tech trends and biggest startup news.
