The Associated Press reported on Wednesday that a cybersecurity firm said it had found a malware program that could steal the personal information of thousands of people using a loophole in the software industry’s privacy protections.
The company, Avast, said it identified the program, called Krasnostok, on Tuesday and reported it to Google, the search giant that owns the popular Google Web Search service.
Google has not confirmed its existence.
The program, which Avast said it first discovered in late February, uses the same keystroke-based encryption used by the Google Web search service to encrypt data sent to the company’s servers.
The software, known as “Avast’s Krasnet,” was not detected by the company and its data is not stored on the Avast servers.
But the company said it alerted Google to the problem and notified the U.S. Federal Trade Commission, which regulates the privacy of the web search service.
Avast said the flaw in Google’s encryption meant that anyone using the Avsnet tool could read the data and gain access to the private details of nearly 1.5 million users.
The company said Avast notified Google of the flaw but did not provide details on how it alerted it to the flaw.
Google said it is actively working to improve its security, including removing the Krasnets in the future.
The software, which it says is in beta testing, allows people to install the Ava botnet, or other botnets, to steal users’ personal information and access data from its servers.
Google, which has a market value of $45 billion, did not immediately respond to a request for comment.
Avacet is a search engine and ad network software that Google bought in 2013 for $1.6 billion.
Google acquired the company in 2014 for $5 billion.