Highlights:
- Security flaw is rooted in Google’s widely used Play Core library, which lets developers push in-app updates and new feature modules to their Android apps
- If exploited, the attacker can grab credentials, steal 2FA codes, gain access to corporate resources, and spy using location access
- Apps vulnerable include: Edge, OkCupid, Grindr and Cisco teams and more
Countless apps on Google’s Play Store are still vulnerable to a known bug, CVE-2020-8913, that allows threat actors to inject malicious code into vulnerable applications, in order to gain access to all the same resources of the hosting application. Threat actors can use the vulnerable apps to siphon off sensitive data from other apps on the same device, stealing users’ private information, such as login details, passwords, financial details, and mail.
Security researchers at Check Point have confirmed that popular applications on Google’s Play Store continue to be vulnerable to the known vulnerability CVE-2020-8913, concluding that hundreds of millions of Android users are still at a significant security risk. First reported in late August by researchers at Oversecured, the vulnerability allows a threat actor to inject malicious code into vulnerable applications, granting access to all the same resources of the hosting application. For example, a malicious app can siphon off sensitive data from other apps on the same device.
The flaw is rooted in Google’s widely used Play Core library, which lets developers push in-app updates and new feature modules to their Android apps. The vulnerability makes it possible to add executable modules to any apps using the library, meaning arbitrary code could be executed within them. An attacker who has a malware app installed on the victim’s device could steal users’ private information, such as login details, passwords, financial details, and read their mail.
What is CVE-2020-8913?
Inside the sandbox of each application, there are 2 folders: one for “verified” files received from Google Play, and another for “non-verified” files. Files downloaded from Google Play services go into the verified folder, while files downloaded from other sources are sent to the non-verified folder. When a file is written to the verified folder, it interacts with the Google Play Core library which loads and executes it.
Another feature, an exported intent, allows other sources to push files into the hosting application’s sandbox. There are some limitations: the file is pushed into the non-verified folder, and it is not automatically handled by the library.
The vulnerability lies within the combination of the two features mentioned above, and also utilizes file traversal, a concept as old as the internet itself.
When we combine popular applications that utilize the Google Play Core library and the Local-Code-Execution vulnerability, we can clearly see the risks. If a malicious application exploits this vulnerability, it can gain code execution inside popular applications and have the same access as the vulnerable application.
Developers Need to Update, Now.
Google acknowledged and patched the bug on April 6, 2020, rating it an 8.8 out of 10 for severity. However, the patch needs to be pushed by the developers themselves into their respective applications, in order for the threat to fully go away. Check Point researchers decided to randomly select a number of high-profile apps to see which developers actually implemented the patch provided by Google.
Vulnerable Apps Confirmed
During the month of September 2020, 13% of Google Play applications analyzed by Check Point researchers used the Google Play Core library, where 8% of those applications continued to have a vulnerable version. The following applications are still vulnerable on Android:
- Social – *Viber
- Travel – *Booking
- Business – Cisco Teams
- Maps and Navigation – Yango Pro (Taximeter)
- Dating – Grindr, OKCupid, Bumble
- Browsers – Edge
- Utilities – Xrecorder, PowerDirector
Further tests show Viber, & Booking updated to the patched versions after being notified.