Google Play Store’s library is still suffering from a major security flaw, which is still plaguing many Android apps. Some of the apps that are vulnerable include Grindr, Bumble, OkCupid, Cisco Teams, Yango Pro, Edge, Xrecorder, PowerDirector and more. According to a research by Check Point, these applications are still vulnerable to a Play Core library flaw that puts hundreds of millions of Android users’ data to risk.
Google is aware of this flaw and they patched it back in April. While it has been fixed at Google’s end, it needs support for the app developers in order to truly get rid of the vulnerability. In order to get rid of it, app developers themselves must install the new Play Core library on their apps.
The aforementioned applications are running on an older version of Play Core library making them vulnerable to the attack. Viber and Booking.com were also running on the older version, but they updated their apps immediately after Check Point intimated them.
According to the security researchers at Check Point, some Android apps including, Grindr, Bumble, OkCupid, Cisco Teams, Yango Pro, Edge, Xrecorder and PowerDirector are still vulnerable to CVE-2020-8913. The flaw has been detected in Google’s own Play Core library. The library is used by app developers to push in-app updates and new feature modules to their apps.
Commenting on this, Manager of Mobile Research, Check Point, Aviran Hazum says, “We’re estimating that hundreds of millions of Android users are at security risk. Although Google implemented a patch, many apps are still using outdated Play Core libraries. The vulnerability CVE-2020-8913 is highly dangerous. If a malicious application exploits this vulnerability, it can gain code execution inside popular applications, obtaining the same access as the vulnerable application. For example, the vulnerability could allow a threat actor to steal two-factor authentications codes or inject code into banking applications to grab credentials. Or, a threat actor could inject code into social media applications to spy on victims or inject code into all IM apps to grab all messages. The attack possibilities here are only limited by a threat actor’s imagination.”