Several high-profile third-party Android apps still aren’t using the latest version of Google’s app update library, jeopardizing hundreds of millions of smartphone users’ security.
Oversecured, a mobile app security company, discovered a severe vulnerability in Google library Play Core Library, allowing malicious apps to execute code in legit apps. The vulnerability was classified as CVE-2020-8913 and rated 8.8/10 for severity. It mainly affected Android Play Core Library versions released before 1.7.2.
The vulnerability was patched back in March 2020. However, many third-party Android apps are using the unpatched version of Google Library, according to the latest report from Check Point Research.
Aviran Hazum, the Manager of Mobile Research at Check Point, the security of “hundreds of millions of Android users” is at risk.
“The vulnerability CVE-2020-8913 is highly dangerous, [and] the attack possibilities here are only limited by a threat actor’s imagination,” Hazum stated in a report.
Some of the apps have over 250 million downloads. Researchers claim that most app developers haven’t yet integrated the new Google Play Core Library to mitigate the threat.
Check Point explained that in server-side vulnerabilities, the patching process is simpler as the patch has to be applied to the server once. But. For client-side vulnerabilities like the one identified in Google Library, every developer must grab the library’s patched version and integrate it into the application.
The apps still vulnerable to hacking include:
It is worth noting that just last week Bumble, a dating app was found vulnerable and risked data of 100 million users globally. It took Bumble almost a year to respond to what researchers reported about the vulnerability.
Play Core Library is a widely used Android library through which developers can manage the latest feature module delivery, download new language packs, and effectively trigger in-app updates at runtime.
Check Point researchers identified that around 13% of apps on Google Play evaluated in September 2020, nearly 8% had a vulnerable version. After Check Point disclosed their findings, many mainstream services such as Meetup, Viber, and Booking.com updated their apps to integrate the patched version.
A proof-of-concept was also demonstrated by the researchers using a vulnerable version of the Google Chrome app. While researchers could steal all the bookmarks stored in the browser via payload, malicious threat actors can easily steal sensitive data like emails, passwords, and financial information.
Watch the demonstration: