Multiple high-profile Android apps are still using an unpatched version of Google’s widely-used update library’s, potentially putting the private data of many many of their smartphone users in danger of hacking.
Many popular apps, including Grindr, Bumble, OkCupid, Cisco Teams, Moovit, Yango Pro, Microsoft Edge, Xrecorder, and PowerDirector, are still vulnerable and may be hijacked to steal sensitive data, like passwords, financial details, and e-mails.
The bug, tracked as CVE-2020-8913, ought to be rated 8.8 on the scale of 10.0 for severity and impacts Android’s Core Library versions before 1.7.2.
Although Google addressed the vulnerability in March, new findings from CheckPoint Research show that a lot of third-party app developers are yet to integrate the new Play Core library into their apps to mitigate the threat fully.
Play Core Library could also be a well-liked Android library that allows developers to manage the delivery of latest feature modules effectively, trigger in-app updates at runtime, and download additional language packs.
First noticed in late August by researchers at app security startup, the difficulty allows a threat actor to inject malicious executable files to any app counting on the google library, thus granting the attacker full access to all or any or any of the resources as that of the compromised application.
The flaw stems from a path traversal vulnerability within the library that might be exploited to load and execute malicious code (e.g., an APK file) onto a target app to capture users’ login details, passwords, financial details, and other tips stored within the device.
The consequences of this successful exploitation in this flaw are tragic. It are often used to “inject code into banking applications to grab credentials, and at the same time have SMS permissions to steal the two-factor authentication (2FA) codes,” grab messages from chat apps, spy on users’ locations, and even gain access to corporate resources by tampering with enterprise apps.
According to CheckPoint Research, of the 13% of Google Play applications analyzed within the month of September 2020, 8% of those apps had a vulnerable version.
After the cybersecurity firm by taking charge disclosed their findings, Viber, Meetup, and Booking.com updated their apps to the patched version of the library.
The researchers also demonstrated a proof-of-concept that used a vulnerable version of the Google Chrome app to siphon the bookmarks stored within the browser through an obsessive payload.
“We’re estimating that many many Android users are at security risk,” Check Point’s Manager of Mobile Research, Aviran Hazum, said. “Although Google put into effect a patch that a lot of other apps are still using outdated Play Core libraries. The vulnerability CVE-2020-8913 is extremely dangerous, the attack possibilities here are only limited by a threat actor’s imagination.”
