Check Point researchers reveal an old high severity local code execution vulnerability that exists in 8% of some of the most commonly used mobile apps such as Bumble, Teams, Edge, and OkCupid puts Android users at risk of credential theft.
According to a recent analysis by Check Point Software Technologies, millions of Android users are susceptible to a local code execution vulnerability within the Google Play Core Library. The company found that 8% of all Google Play Store apps use a vulnerable version of the Play Core Library despite a fixed one being available since April this year.
Tracked CVE-2020-8913Opens a new window , the flaw enables malicious applications to run code in authenticated Play Store apps. It was discovered by OversecuredOpens a new window and notched up a CVSS score of 8.8, which is just shy of being rated ‘Critical’ in severity. The vulnerability poses a threat to millions of users who have installed an app that uses the Play Core Library. Presently, 13% of all Play Store apps leverage it, including Facebook, Google Chrome, Instagram, WhatsApp, Snapchat, Viber, Booking, Cisco Teams, Yango Pro (Taximeter), Moovit, Grindr, OkCupid, Edge (Microsoft), Xrecorder, PowerDirector, etc.
The Play Core LibraryOpens a new window is an interactive Java-based library that provides a runtime interface for Android apps to interact with the Play Store. “So, basically, the Google Play Core Library is a gateway for interacting with Google Play Services from within the application itself, starting from dynamic code loading (such as downloading additional levels only when needed), to delivering locale-specific resources, to interacting with Google Play’s review mechanisms,†Check Point researchers Aviran HazumOpens a new window and Jonathan ShimonovichOpens a new window said.
The vulnerability allows attackers to deliver and execute unverified code/modules, which may very well be a malware, within a legitimate Android app using the Play Core Library. A malware module/app injected/installed on the target device could lead up to theft of login credentials, financial data, even 2FA, and allow reading of mails and messages in instant messaging apps.
Vulnerability Attack Demo | Source: Check Point
As shown in the demo, an attacker would only need to create and inject a simple ‘Hello World’ app that “calls the exported intent in the target (vulnerable) app to push a file into the verified files folder with the file-traversal path.â€
See Also: Google Rolls Out Enterprise-Grade Mobile Security for Small Businesses
CVE-2020-8913 Attack Chain by Check Point
Check Point’s analysis revealed that some of the above listed applications such as Viber, Booking, Grindr, Moovit, Cisco Teams have been patched after the company notified respective owners. However, many of the apps are still vulnerable to data pilfering attacks due to the bug.
Check Point estimated that just Facebook and Instagram result in 5 billion and 1 billion downloads, respectively, enabled through the Play Core Library.
“Prior to this publication, we have notified the Apps about the vulnerability and the need to update the version of the library , in order not to be affected,†Check Point said.
So, Where’s the Hold Up?
The local code execution vulnerability is not a conventional server-side flaw that can be fixed with a patch. It is a client-side bug that needs to be updated manually. Check Point explains, “Unlike server-side vulnerabilities, where the vulnerability is patched completely once the patch is applied to the server, for client-side vulnerabilities, each developer needs to grab the latest version of the library and insert it into the application.â€
Some of the other vulnerable apps with high installations include Aloha, XRecorder, Hamal, IndiaMART, Bumble, Teams, and Edge among others. For more details, check the table below.
|
Package Name |
Name | Version | Download Count |
| com.aloha.browser | Aloha | 2.23.0 |
1M |
|
com.walla.wallasports |
Walla! Sports | 1.8.3.1 | 100K |
| videoeditor.videorecorder.screenrecorder | XRecorder | 1.4.0.3 |
100M |
|
com.walla.wallahamal |
Hamal | 2.2.2.1 | 1M |
| com.indiamart.m | IndiaMART | 12.7.4 |
10M |
|
com.microsoft.emmx |
Edge | 45.09.4.5083 | 10M |
| ru.yandex.taximeter | Yango Pro (Taximeter) | 9.56 |
5M |
|
com.cyberlink.powerdirector |
PowerDirector | 7.5.0 | 50M |
| com.okcupid.okcupid | OkCupid | 47.0.0 |
10M |
|
com.cisco.wx2.android |
Teams | 40.10.1.274 | 1M |
| com.bumble.app | Bumble | 5.195.1 |
10M |
Â
Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!