Subscribe
  • Home
  • /
  • Malware
  • /
  • Apps still vulnerable to old bug in Google Play Core Library

Apps still vulnerable to old bug in Google Play Core Library

Staff Writer
By Staff Writer, ITWeb
Johannesburg, 04 Dec 2020

About 8% of Android apps available on the Google Play Store are vulnerable to a security flaw in a popular Android library, according to Check Point. 

The vulnerability, CVE-2020-8913, was patched by Google in April. It allows local code execution (LCE) within the scope of any application that has the vulnerable version of the Google Play Core Library. Code execution is a malefactor’s ability to execute arbitrary commands or code.

The Play Core Library is the app’s runtime interface with the Google Play Store. Some of the actions that can be taken with Play Core include downloading additional language resources; managing delivery of feature modules; managing delivery of asset packs, triggering in-app updates; and requesting in-app reviews.

The Library is a gateway for interacting with Google Play Services from within the application itself, starting from dynamic code loading, to delivering locale-specific resources, to interacting with Google Play’s review mechanisms. Many popular applications utilise this library, including Google Chrome, Facebook, Instagram, WhatsApp and SnapChat.

Inside each application’s sandbox, there are two folders, one for “verified” files received from Google Play, and another for “non-verified” files. Files downloaded from Google Play services go into the verified folder, while files downloaded from other sources are sent to the non-verified folder. When a file is written to the verified folder, it interacts with the Google Play Core library which loads and executes it.

Another feature, an exported intent, allows other sources to push files into the hosting application’s sandbox. There are some limitations: the file is pushed into the non-verified folder, and it is not automatically handled by the library.

The dangers

The vulnerability lies within the combination of the two features and also employs file traversal, a concept as old as the Internet itself. When popular applications that use the

Google Play Core library are combined with the vulnerability the risks become apparent.

If a malicious application exploits this vulnerability, it can gain code execution inside applications and have the same access as the vulnerable application.

Risks include injecting code into banking applications to grab credentials, as well as gaining SMS permissions to steal the two-factor authentication codes; injecting code into enterprise applications to gain access to corporate resources; inject code into social media applications to spy on the victim and use location access to track the device, and finally, injecting code into IM apps to grab all messages, and possibly send messages on the victim’s behalf.

Apps still affected

Although the vulnerability was patched on 6 April this year, the patch needs to be pushed by the developers into the application. Unlike server-side vulnerabilities, where the vulnerability is patched completely once the patch is applied to the server, for client-side vulnerabilities, each developer needs to grab the latest version of the library and insert it into the application.

Since this vulnerability was published, Check Point began monitoring vulnerable applications. During September this year, 13% of Google Play applications analysed by the company used this library, and 8% of those apps had a vulnerable version.

Check Point compared the September versions to the current versions on Google Play to see which applications are still affected, and discovered vulnerable applications from a large variety of genres, including Viber, Booking, Cisco Teams, Yango Pro, Moovit, Grindr, OKCupid, Bumble, Edge, Xrecorder and PowerDirector.

Prior to publication, Check Point notified all apps about the vulnerability and the need to update the version of the library, in order not to be affected. Further tests reveal that both Viber and Booking updated to the patched versions after the notification.

Share