Updated Infosec bods from Check Point have discovered that popular apps are still running outdated versions of Google’s Play Core library for Android – versions that contained a remote file inclusion vulnerability.
While Google patched the vuln in April, long before its public disclosure, Check Point found in recent research that it was still present in some Android apps. These included (at the time the report was compiled), Cisco Teams*, dating apps such as Grindr*, OKCupid and Bumble, and navigation app Moovit* among others.
“The vulnerability allows a threat actor to inject malicious code into vulnerable applications, granting access to all the same resources on the user’s phone as the hosting application,” said Check Point in a statement.
The vuln, CVE-2020-8913, was first uncovered in August by researchers at Oversecured. They found that the Play Core Library, an in-app update and streamlining feature offered to Android devs, could be abused to “add executable modules to any apps using the library”.
Aviran Hazum, Check Point’s mobile research manager, said in a statement: “Although Google implemented a patch, many apps are still using outdated Play Core libraries. The vulnerability CVE-2020-8913 is highly dangerous. If a malicious application exploits this vulnerability, it can gain code execution inside popular applications, obtaining the same access as the vulnerable application... a threat actor could inject code into social media applications to spy on victims or inject code into IM apps to grab all messages. The attack possibilities here are only limited by a threat actor’s imagination.”
The mobile app security firm that discovered the flaw added that it could also lead to leaks of users’ "credentials and financial details, including credit card history" as well as "interception and falsification of their browser history, cookie files, etc". It's a nasty one.
The Google Play Core Library, as Oversecured summarised it at the vuln's disclosure in August, “allows updates to various parts of an app to be delivered at runtime without the participation of the user, via the Google API.” It also allows app devs to shrink the size of .apk files downloaded by users through “loading resources optimized for a particular device and settings (localization, image dimensions, processor architecture, dynamic modules) instead of storing dozens of different possible versions”.
While the immediate impact of this should have been low given that Google patched the library months ago, mobile developers who haven’t updated their Google Play Core Library implementations since April should do so immediately - and slap themselves on the wrists if they haven't already done that thing. Users, of course, should update all their apps - but sadly this can never be guaranteed. ®
Updated to add
*Cisco has been in touch to say it patched Cisco Webex Teams on December 2 to address CVE-2020-8913. Make sure you're running the latest version.
Both Grindr & Moovit have updated their versions as of 3 December to the patched version and are no longer vulnerable.