Saktanong – stock.adobe.com
Android application developers are putting millions of users at risk by failing to update Google’s widely used Play Core library to cover off a bug that was fixed in April 2020, Check Point has warned.
The CVE-2020-8913 flaw is a local, arbitrary code execution vulnerability which enables a malicious actor to create an Android Package Kit (APK) targeting a specific app that lets them execute code as the targeted app, and access its data held on the user device. This may include private information such as login credentials, financial details, private messages or photos.
It is rooted in the Play Core library, a crucial element in enabling developers to push their own in-app updates and new feature modules to live apps. The Play Core library is used in about 13% of apps available on the Google Play Store as of September 2020
It was patched by Google on 6 April 2020, but as it is a client-side vulnerability – as opposed to a server-side vulnerability which is patched completely once the patch is applied to the server – effectively mitigating it requires each developer using Play Core Library to grab the patched version and install it into their app. Eight months later, many have still failed to do so.
Aviran Hazum, Check Point’s manager of mobile research said: “We’re estimating that hundreds of millions of Android users are at security risk. Although Google implemented a patch, many apps are still using outdated Play Core libraries.
“The vulnerability CVE-2020-8913 is highly dangerous,” he said. “If a malicious application exploits this vulnerability, it can gain code execution inside popular applications, obtaining the same access as the vulnerable application. For example, the vulnerability could allow a threat actor to steal two-factor authentication codes or inject code into banking applications to grab credentials.
“Or a threat actor could inject code into social media applications to spy on victims or inject code into all IM apps to grab all messages. The attack possibilities here are only limited by a threat actor’s imagination,” said Hazum.
On being contacted by Check Point, Google confirmed that CVE-2020-8913 “does not exist” in up-to-date Play Core versions.
Nevertheless, the flaw still exists in Bumble, Cisco Teams, Edge, Grindr, PowerDirector, Xrecorder and Yango Pro, and this is a small, randomly selected sampling of high-profile apps studied by Check Point. Three apps in the original sampling, Booking, Moovit and Viber, have since confirmed they have corrected the issue.
All of the other developers of these apps have been contacted by Check Point, but at the time of writing, it is unclear whether or not they have been updated.
Users of these apps should consider installing a mobile threat defence solution on their device if they have not done so already. These services typically address threats at the device, application and network level, and should provide adequate protection. For users of corporate devices, MTD should form part of an enterprise mobility management strategy.
Currently available tools include Proofpoint’s Mobile Defense, Symantec’s Endpoint Protection Mobile, Zimperium’s zIPS and Check Point’s own SandBlast Mobile.
In this e-guide, we will explore the links between ransomware attacks, data breaches and identity theft. First, Nicholas Fearn investigates the phenomenon of the double extortion attack, and shares some insider advice on how to stop them, while we’ll explore the top five ways data backups can protect against ransomware in the first place.
Companies must balance customer needs against potential risks during software development to ensure they aren’t ignoring security…
With the right planning, leadership and skills, companies can use digital transformation to drive improved revenues and customer …
Despite recent takedown efforts, the operators behind the malicious botnet are back with a new module call “Trickboot” that …
Ransomware incapacitated Baltimore County Public Schools’ network just before Thanksgiving, but the school system said students’ …
A spokesperson for K12 told SearchSecurity that based on the current status of the investigation, the attack did not affect …
Network teams can avoid signal coverage issues by performing different wireless site surveys as they evaluate new spaces, set up …
SD-WAN, SASE or some combination of the two — which approach will deliver the best and most secure network connectivity in your …
Celona 5G technology uses Citizens Broadband Radio Service spectrum to bring private mobile networking to the enterprise, …
Colocation is not a silver-bullet solution for everyone. Discover the benefits and drawbacks that come with allowing a …
Finding the right server operating temperature can be tricky. ASHRAE standards provide guidance for all server classes and what …
These unexpected charges and fees can balloon colocation costs for enterprise IT organizations.
The enterprise edition of the MySQL database is being enhanced on Oracle Cloud Infrastructure to enable users to run analytics …
The U.S. government has made data sets from many federal agencies available for public access to use and analyze. Check out some …
Check out this excerpt from the new book Learn MongoDB 4.x from Packt Publishing, then quiz yourself on new updates and …
All Rights Reserved, Copyright 2000 – 2020, TechTarget
Privacy Policy
Cookie Preferences
Do Not Sell My Personal Info
