Many Android apps still vulnerable to major patched bug, putting hundreds of millions of users at risk
December 2020 by check point
Countless apps on Google’s Play Store are still vulnerable to a known bug, CVE-2020-8913, that allows threat actors to inject malicious code into vulnerable applications, to gain access to the same resources as the hosting application. Threat actors can use vulnerability to steal sensitive data and credentials from user’s apps and devices.
• Security flaw is rooted in Google’s widely used Play Core library, which lets developers push in-app updates and new feature modules to their Android apps
• Google fixed the flaw in April 2020, but developers themselves must install new Play Core library in order to eliminate the threat fully
• Check Point researchers randomly selected a number of high-profile apps to confirm the existence of vulnerability CVE-2020-8913. Vulnerability confirmed in Grindr, Bumble, OKCupid, Cisco Teams, Moovit, Yango Pro, Edge, Xrecorder, PowerDirector apps
Security researchers at Check Point have confirmed that many popular applications on Google’s Play Store continue to be vulnerable to the known vulnerability CVE-2020-8913, putting hundreds of millions of Android users at significant security risk. First reported in late August by researchers at Oversecured, the vulnerability allows a threat actor to inject malicious code into vulnerable applications, granting access to all the same resources on the user’s phone as the hosting application. For example, a malicious infected app could siphon off sensitive data from other apps on the same device.
The flaw is rooted in Google’s widely used Play Core library, which lets developers push in-app updates and new feature modules to their Android apps. The vulnerability makes it possible to add executable modules to any apps using thePlay Core library, meaning malicious code could be executed within them. An attacker who has a malicious app installed on the victim’s device could steal users’ private information, such as login details, passwords and financial details, and read messages or access photos in social apps.
Developers need to update, now.
Google acknowledged and patched the bug on April 6, 2020, rating it an 8.8 out of 10 for severity. However, the patch needs to be pushed by the developers themselves into their respective applications, to fully mitigate the threat. Check Point researchers decided to randomly select a number of high-profile apps to see which developers had actually implemented the patch provided by Google.
Vulnerable apps confirmed
During September 2020, 13% of Google Play applications analyzed by Check Point researchers used the Google Play Core library, where 8% of those applications continued to have a vulnerable version. The following applications are still vulnerable on Android:
• Social – *Viber
• Travel – *Booking
• Business – Cisco Teams
• Maps and Navigation – Yango Pro (Taximeter), Moovit
• Dating – Grindr, OKCupid, Bumble
• Browsers – Edge
• Utilities – Xrecorder, PowerDirector
(*Prior to this publication, we have notified all App developers about the vulnerability and the need to update the version of the library , in order not to be affected. Further tests show Viber & Booking updated to the patched versions after our notification.)
Check Point researchers have summed up the attack chain to exploit the vulnerability in four steps.
1. User installs malicious application.
2. Malicious app exploits an application with a vulnerable version of Google Play Core (GPC) library.
3. GPC handles the payload, loads it and executes the attack.
4. Payload can access all of the device’s resources available in the hosting application.
Demonstration on Google Chrome app
To demonstrate targeting a specific application, Check Point researchers took a vulnerable version of the Google Chrome application and created a dedicated payload to grab its bookmarks. The demonstration shows how someone can grab cookies to use them as a means to hijack an existing session with 3rd party services, like DropBox. Once a payload is “injected” into Google Chrome, the payload will have the same access as the Google Chrome app to data, such as cookies, history and bookmarks for the data, and password manager as a service.
Aviran Hazum, Check Point’s Manager of Mobile Research said: “We’re estimating that hundreds of millions of Android users are at security risk. Although Google implemented a patch, many apps are still using outdated Play Core libraries. The vulnerability CVE-2020-8913 is highly dangerous. If a malicious application exploits this vulnerability, it can gain code execution inside popular applications, obtaining the same access as the vulnerable application. For example, the vulnerability could allow a threat actor to steal two-factor authentications codes or inject code into banking applications to grab credentials. Or, a threat actor could inject code into social media applications to spy on victims or inject code into all IM apps to grab all messages. The attack possibilities here are only limited by a threat actor’s imagination.”
Response by Google
Check Point researchers reached out to Google and communicated their research findings. Google responded with: “The relevant vulnerability CVE-2020-8913 does not exist in up-to-date Play Core versions.”
How users can protect themselves:
Check Point recommends users install a mobile threat defense solution. Check Point SandBlast Mobile is a market-leading Mobile Threat Defense (MTD) solution, providing a wide range of capabilities to help secure mobile workforces. SandBlast Mobile provides protection for mobile vectors of attacks, including the download of malicious applications and applications with malware embedded in them.