Press "Enter" to skip to content

Android: Many apps use Google library with vulnerability

Last updated on December 6, 2020

The gap was already patched in March, but many Apps use older versions. It can be used to read Messenger messages, for example.

When two androids meet…
(Picture: andrekheren/Pixabay)

Many popular apps use a completely outdated version of the Play Core library – but it contains a security hole. This allows apps to access data from other apps or to modify the app. For example, messages from messengers or banking apps can be accessed – but also all other app data. The vulnerability has been known since August and has been patched since March.

says the security company Checkpoint, several apps in the Google Play Store are still affected by the security hole. These include the dating app Okcupid, Microsoft’s Edge Browser for Android and the navigation app Moovit. Also affected were Cisco Webex Teams, Booking.com and the dating app Grindr, but they have already updated their apps.

The vulnerability (CVE-2020-8913) was already released in August by the security company Oversecured. An installed malicious app can use the vulnerability to inject malicious code into other apps and access all app data. In this way, passwords, photos, 2FA codes and much more can be read out.

“The vulnerability allows a threat player to inject malicious code into vulnerable applications, giving access to all resources on the user’s phone that are also present in the hosting application,” Checkpoint said. Exploiting the vulnerability is quite trivial. The most difficult step is probably to get the person affected to install a malicious app In September, 8% of apps in the Play Store were vulnerable

Google closed the security hole already in March with version 1.7.2 of Play Core. However, many app developers have not updated the library in their app for months. At a scan in September, 13 percent of the apps on the Play Store used the Play Core library, only 5 percent used an updated version, while 8 percent used a version more than six months old that was affected by the vulnerability.

Read the original article here.