Numerous high-profile Android apps are still using an unpatched version of Google’s widely-used app update library, that puts the personal data of hundreds of millions of smartphone users at risk of hacking.
Many popular apps which include Grindr, Bumble, OkCupid, Cisco Teams, Moovit, Yango Pro, Microsoft Edge, Xrecorder, and PowerDirector, are still vulnerable and can be hacked to steal sensitive data, such as passwords, financial details, and e-mails.
The bug, dubbed as CVE-2020-8913, has been given the severity rating of 8.8 and affects Android’s Play Core Library versions prior to 1.7.2.
Google already addressed the vulnerability in March, but according to a new finding from Check Point Research, several third-party app developers have not yet integrated the new Play Core library into their apps to mitigate the threat completely.
In case of client-side vulnerabilities, each developer has to collect the latest version of the library and insert it into the application.
Play Core Library is an Android library that allows developers to manage the delivery of new feature modules effectively, trigger in-app updates at runtime, and download additional language packs.
The issue was first reported by the researchers at a security startup Oversecured, which allows an attacker to inject malicious executables to any app relying on the library, thus permitting the attacker full access to all the resources as that of the compromised application.
The flaw arises from a path traversal vulnerability in the library that could be exploited to load and execute malicious code onto a target app to steal user’s sensitive details.
On successful exploitation of this flaw, it is possible to “inject code into banking applications to grab credentials, and at the same time have SMS permissions to steal the two-factor authentication (2FA) codes. It can also gather messages from chat apps, spy on users’ locations, and even attain access to corporate resources by tampering with enterprise apps.
According to Check Point Research, of the 13% of Google Play applications analyzed in September 2020, 8% of those apps had a vulnerable version.
The cybersecurity firm disclosed their findings after which Viber, Meetup, and Booking.com updated their apps to the patched version of the library.
The researchers also demonstrated a proof-of-concept that used a vulnerable version of the Google Chrome app to siphon the bookmarks stored in the browser through a dedicated payload.
The researchers stated that millions of Android users are at security risk. Even though Google implemented a patch, many apps are still using outdated Play Core libraries.