Check Point experts warned that developers of many popular Android applications forgot to make an important update and now their product is vulnerable to a bug in the Play Core library.So, according to the company, about 8% of all applications in the Google Play Store use old and unsafe versions of the Play Core library. This library was created by Google and developers can embed it into their apps to interact with the official Google Play Store.
The library is very popular because it can be used to download and install updates from the Play Store, modules, language packs and even other applications.
However, earlier this year, oversecured researchers discovered a serious vulnerability in Play Core, identified as CVE-2020-8913. This bug could be exploited by a malicious application installed on the user’s device and with its help injecting dangerous code into other applications, as well as stealing confidential data, including passwords, photos, 2FA codes and much more.
A demonstration of such an attack can be seen below.
Google engineers fixed a bug with the release of Play Core 1.7.2, released in March 2020. However, according to Check Point, not all developers have updated the Play Core library in time, and now their users are at risk.
According to a September 2020 scan by Check Point, six months after the patch was released, about 13% of all apps in the Google Play Store continued to use older versions of the library, and only 5% were using an updated (secure) version.
The list of applications that “did their duty” to users and updated the library included Facebook, Instagram, Snapchat, WhatsApp and Chrome. But, unfortunately, the developers of many other large applications did not do this. Among them experts listed Microsoft Edge, Grindr, OKCupid, Cisco Teams, Viber, and Booking.com. In total, problematic applications have been installed more than 250 million times.
Check Point researchers write that they notified the authors of all vulnerable applications about the problem, but three months later, only Viber and Booking.com took care of removing this vulnerability from their products. In turn, The Register reports that on December 2, the vulnerability was also fixed as part of Cisco Webex Teams.
Let me remind you that Google recruits a team of experts to find bugs in Android applications.