Android application developers are putting millions of users at risk by failing to update Google’s widely used Play Core library to cover off a bug that was fixed in April 2020, Check Point has warned.
The CVE-2020-8913 flaw is a local, arbitrary code execution vulnerability which enables a malicious actor to create an Android Package Kit (APK) targeting a specific app that lets them execute code as the targeted app, and access its data held on the user device. This may include private information such as login credentials, financial details, private messages or photos.
It is rooted in the Play Core library, a crucial element in enabling developers to push their own in-app updates and new feature modules to live apps. The Play Core library is used in about 13% of apps available on the Google Play Store as of September 2020
It was patched by Google on 6 April 2020, but as it is a client-side vulnerability – as opposed to a server-side vulnerability which is patched completely once the patch is applied to the server – effectively mitigating it requires each developer using Play Core Library to grab the patched version and install it into their app. Eight months later, many have still failed to do so.
Aviran Hazum, Check Point’s manager of mobile research said: “We’re estimating that hundreds of millions of Android users are at security risk. Although Google implemented a patch, many apps are still using outdated Play Core libraries.
“The vulnerability CVE-2020-8913 is highly dangerous,” he said. “If a malicious application exploits this vulnerability, it can gain code execution inside popular applications, obtaining the same access as the vulnerable application. For example, the vulnerability could allow a threat actor to steal two-factor authentication codes or inject code into banking applications to grab credentials.
“Or a threat actor could inject code into social media applications to spy on victims or inject code into all IM apps to grab all messages. The attack possibilities here are only limited by a threat actor’s imagination,” said Hazum.
On being contacted by Check Point, Google confirmed that CVE-2020-8913 “does not exist” in up-to-date Play Core versions.
Nevertheless, at the time of writing the flaw still exists in Bumble, Edge, Grindr, PowerDirector, Xrecorder and Yango Pro, and this is a small, randomly selected sampling of high-profile apps studied by Check Point. Four apps in the original sampling, Booking, Cisco Teams, Moovit and Viber, have since confirmed they have corrected the issue.
All of the other developers of these apps have been contacted by Check Point, but it is unclear whether or not they have been updated.
Users of these apps should consider installing a mobile threat defence solution on their device if they have not done so already. These services typically address threats at the device, application and network level, and should provide adequate protection. For users of corporate devices, MTD should form part of an enterprise mobility management strategy.
Currently available tools include Proofpoint’s Mobile Defense, Symantec’s Endpoint Protection Mobile, Zimperium’s zIPS and Check Point’s own SandBlast Mobile.