There is a major security flaw rooted in the Google Play Core library that is still plaguing many Android apps. According to a recent report by research firm CheckPoint, Android apps such as Grindr, Bumble, OKCupid, Cisco Teams, Yango Pro, Edge, Xrecorder, PowerDirector, and many others are vulnerable to an old Play Core library flaw. The report stated that the security flaw puts hundreds of millions of Android users’ data at risk.
As per the analysis done by the security researchers at Check Point, the bug that Google had fixed in April 2020 is still affecting many apps and the app developers have not fixed the flaw on their end yet. This still putting millions of users at high-risks. This security flaw was reportedly been patched by Google earlier this year, in April.
The report suggests that all these apps are still on the old Play Core library version apart from Viber and Booking apps, which were recently updated. Google rated the flaw an 8.8 out of 10 in severity.
The vulnerability is called CVE-2020-8913 and it allows hackers to inject a malicious code into vulnerable apps and then execute the code to get access to all the resources in the app. It is then used to steal sensitive data from other apps on the same device, said Check Point.
The vulnerability puts users’ private data like login details, mail ID, passwords, financial details, etc at risk and exposed for potent cyber theft.
According to Check Point, 13 percent of Google Play apps analyzed by them in September used the Google Play Core library while 8 percent of those apps continued to have a vulnerable version. It is suggested that users must uninstall these apps until they fix the security flaw. Viber and Booking have now updated to new patched versions but the other apps have not yet.
Commenting on the matter Manager of Mobile Research, Check Point, Aviran Hazum said, “We’re estimating that hundreds of millions of Android users are at a security risk. Although Google implemented a patch, many apps are still using outdated Play Core libraries. The vulnerability CVE-2020-8913 is highly dangerous. If a malicious application exploits this vulnerability, it can gain code execution inside popular applications, obtaining the same access as the vulnerable application. For example, the vulnerability could allow a threat actor to steal two-factor authentication codes or inject code into banking applications to grab credentials. Or, a threat actor could inject code into social media applications to spy on victims or inject code into all IM apps to grab all messages. The attack possibilities here are only limited by a threat actor’s imagination.”