About 8% of Android apps available in the official Google Play Store contain vulnerabilities in the popular Android library. The problem is in older versions of Play Core, a Java library that developers can embed into their applications to interact with the official Play Store portal, according to Check Point .
The Play Core library is very popular because it can be used by app developers to download and install updates hosted in the Play Store, modules, language packs, or even other apps.
Earlier this year, security researchers from Oversecured discovered a serious vulnerability (CVE-2020-8913) in the Play Core library, the exploitation of which allowed malware installed on a user’s device to inject rogue code into other applications and steal sensitive data such as passwords, photos, codes 2FA, etc. Google fixed the problem in Play Core 1.7.2 back in March this year, however, as it turned out, not all developers have updated the Play Core library.
Check Point scans, six months after the release of an update to Play Core, 13% of all applications in the Google Play Store were still using the library and only 5% were using the updated (secure) version. Check Point identified Microsoft Edge, Grindr, OKCupid, Cisco Teams, Viber, and Booking.com among the apps with the most users that failed to update the library.
Researchers from Check Point notified the developers of all applications of their findings, but even three months later, only Viber and Booking.com took care of applying the fix.