Android app developers are putting millions of users at risk by failing to update Google’s widely used Play Core library to cover a bug that was fixed in April 2020, Check Point warned.
The CVE-2020-8913 flaw is a local arbitrary code execution vulnerability that allows a malicious actor to create an Android Package Kit (APK) targeting a specific application that allows them to execute code as the target application and access your data stored on the user device. This can include private information such as login credentials, financial details, private messages, or photos.
It is rooted in the Play Core library, a crucial element in allowing developers to push their own in-app updates and new feature modules for live apps. The Play Core library is used by about 13% of the apps available on the Google Play Store as of September 2020
It was patched by Google on April 6, 2020, but since it is a client-side vulnerability, as opposed to a server-side vulnerability that is fully patched once the patch is applied to the server, mitigating it effectively requires Let each developer use the Play Core Library to take the patched version and install it in their application. Eight months later, many still have not.
Aviran Hazum, Mobile Research Manager at Check Point, said: “We estimate that hundreds of millions of Android users are at security risk. Although Google rolled out a patch, many apps still use outdated Play Core libraries.
“The CVE-2020-8913 vulnerability is highly dangerous,” he said. “If a malicious application exploits this vulnerability, it can get code execution within popular applications, gaining the same access as the vulnerable application. For example, the vulnerability could allow a threat actor to steal two-factor authentication codes or inject code into banking applications to obtain credentials.
“Or a threat actor could inject code into social media applications to spy on victims or inject code into all instant messaging applications to capture all messages. The attack possibilities here are only limited by the imagination of a threat actor, ”Hazum said.
When contacted by Check Point, Google confirmed that CVE-2020-8913 “does not exist” in the updated versions of Play Core.
However, the flaw still exists in Bumble, Cisco Teams, Edge, Grindr, PowerDirector, Xrecorder, and Yango Pro, and this is a small, randomly selected sample of high-profile apps studied by Check Point. Three apps in the original sample, Booking, Moovit and Viber, have since confirmed that they have fixed the problem.
All other developers of these apps have been contacted by Check Point, but at the time of writing, it is unclear whether or not they have been updated.
Users of these applications should consider installing a mobile threat defense solution on their device if they have not already done so. These services typically address threats at the device, application, and network levels, and must provide adequate protection. For corporate device users, MTD should be part of an enterprise mobility management strategy.
Tools currently available include Proofpoint’s Mobile Defense, Symantec’s Endpoint Protection Mobile, Zimperium’s zIPS, and Check Point’s SandBlast Mobile.