Check Point experts warned that developers of many popular Android applications forgot to update one important library and are now vulnerable to attacks.
So, according to the company, about 8% of all applications in the Google Play Store use old and unsafe versions of the Play Core library . This library was created by Google and developers can embed it into their apps to interact with the official Google Play Store. The library is very popular because it can be used to download and install updates from the Play Store, modules, language packs and even other applications.
However, earlier this year, Oversecured researchers discovered a serious vulnerability in Play Core, identified as CVE-2020-8913 . This bug could be exploited by a malicious application installed on the user’s device and with its help injecting dangerous code into other applications, as well as stealing confidential data, including passwords, photos, 2FA codes and much more. A demonstration of such an attack can be seen below.https://www.youtube.com/embed/Dfa8JEvnteY?wmode=transparent
Android Vulnerability Fix
Google engineers fixed a bug with the release of Play Core 1.7.2 , which came out in March 2020. However, according to Check Point, not all developers have updated the Play Core library in time, and now their users are at risk.
According to a September 2020 scan by Check Point, that is, six months after the patch was released, about 13% of all apps in the Goolge Play Store continued to use older versions of the library, and only 5% were using an updated (secure) version.
The list of apps that “did their duty” to users and updated the library included Facebook, Instagram, Snapchat, WhatsApp and Chrome. But, unfortunately, the developers of many other large applications have not done this. These experts listed Microsoft Edge, Grindr, OKCupid, Cisco Teams, Viber, and Booking.com. In total, problematic applications have been installed more than 250 million times.
Check Point researchers write that they notified the authors of all vulnerable applications about the problem, but three months later, only Viber and Booking.com took care of removing this vulnerability from their products. In turn, The Register reports that on December 2, the vulnerability was also fixed as part of Cisco Webex Teams.