Mumbai: Check Point researchers have confirmed that popular applications on Google’s Play Store continue to be vulnerable to the known vulnerability CVE-2020-8913. Due to this vulnerability, hundreds of millions of Android users are still at a significant security risk.
Oversecured researchers first reported the vulnerability in late August cured, the vulnerability allows a threat actor to inject malicious code into vulnerable applications, granting access to all the same resources of the hosting application.
For example, a malicious app can siphon off sensitive data from other apps on the same device. The flaw is rooted in Google’s widely used Play Core library, which lets developers push in-app updates and new feature modules to their Android apps.
The vulnerability makes it possible to add executable modules to any apps using the library, meaning arbitrary code could be executed within them. An attacker who has a malware app installed on the victim’s device could steal users’ private information, such as login details, passwords, financial details, and read their mail.
Developers Need to Update, Now.
Google acknowledged and patched the bug on April 6, 2020, rating it an 8.8 out of 10 for severity. However, the patch needs to be pushed by the developers themselves into their respective applications, in order for the threat to fully go away.
Check Point researchers decided to randomly select a number of high-profile apps to see which developers actually implemented the patch provided by Google.
Vulnerable Apps Confirmed
During the month of September 2020, 13% of Google Play applications analyzed by Check Point researchers used the Google Play Core library, where 8% of those applications continued to have a vulnerable version. The following applications are still vulnerable on Android:
·Social –Viber ·Travel –Booking
·Business – Cisco Teams
Maps and Navigation – Yango Pro (Taximeter)
· Dating – Grindr, OKCupid, Bumble
· Browsers – Edge
·Utilities – Xrecorder, PowerDirector
Prior to this, we have notified all Apps about the vulnerability and the need to update the version of the library , in order not to be affected. Further tests showViber, & Booking updated to the patched versions after our notification.
Attack Chain
Check Point researchers have summed up the attack chain to exploit the vulnerability in four steps.
- User installs malicious application.
- Malicious app exploits an application with a vulnerable version of Google Play Core (GPC) library.
- GPC handles the payload, loads it and executes the attack.
- Payload can access all of the resources available in the hosting application.
Demonstration on Google Chrome App
To demonstrate targeting a specific application, Check Point researchers took a vulnerable version of the Google Chrome application and created a dedicated payload to grab its bookmarks.
The demonstrations show how someone can grab cookies to use them as a means to Hijack an existing session with 3rd party services, like DropBox. Once a payload is “injected” into Google Chrome, the payload will have the same access as the Google Chrome app to data, such as cookies, history and bookmarks for the data, and password manager as a service.
“We’re estimating that hundreds of millions of Android users are at security risk. Although Google implemented a patch, many apps are still using outdated Play Core libraries. The vulnerability CVE-2020-8913 is highly dangerous,” said Aviran Hazum, Manager of Mobile Research, Check Point.
“If a malicious application exploits this vulnerability, it can gain code execution inside popular applications, obtaining the same access as the vulnerable application. For example, the vulnerability could allow a threat actor to steal two-factor authentications codes or inject code into banking applications to grab credentials,” added Hazum.
“Or, a threat actor could inject code into social media applications to spy on victims or inject code into all IM apps to grab all messages. The attack possibilities here are only limited by a threat actor’s imagination,” he daded.
Response by Google:
Check Point researchers reached out to Google and communicated their research findings. Google responded with: “The relevant vulnerability CVE-2020-8913 does not exist in up-to-date Play Core versions.”
How to Protect Yourself:
Install a mobile threat defense solution. Check Point SandBlast Mobile is a market-leading Mobile Threat Defense (MTD) solution, providing a wide range of capabilities to help secure mobile workforces. SandBlast Mobile provides protection for mobile vectors of attacks, including the download of malicious applications and applications with malware embedded in them.