(Countless apps on Google’s Play Store are still vulnerable to a known bug, CVE-2020-8913, that allows threat actors to inject malicious code into vulnerable applications, in order to gain access to all the same resources of the hosting application. Threat actors can use the vulnerable apps to siphon off sensitive data from other apps on the same device, stealing users’ private information, such as login details, passwords, financial details, and mail)
· Security flaw is rooted in Google’s widely used Play Core library, which lets developers push in-app updates and new feature modules to their Android apps
· Google fixed the flaw in April 2020, but developers themselves must install new Play Core library in order to make threat fully go away
· Check Point researchers randomly selected a number of high-profile apps to confirm the existence of vulnerability CVE-2020-8913. Vulnerability confirmed in Grindr, Bumble, OKCupid, Cisco Teams, Yango Pro, Edge, Xrecorder, PowerDirector
· Check Point researchers demonstrate exploitation of vulnerability on Android’s Google Chrome application
Security researchers at Check Point have confirmed that popular applications on Google’s Play Store continue to be vulnerable to the known vulnerability CVE-2020-8913, concluding that hundreds of millions of Android users are still at significant security risk. First reported in late August by researchers at Oversecured, the vulnerability allows a threat actor to inject malicious code into vulnerable applications, granting access to all the same resources of the hosting application. For example, a malicious app can siphon off sensitive data from other apps on the same device.
The flaw is rooted in Google’s widely used Play Core library, which lets developers push in-app updates and new feature modules to their Android apps. The vulnerability makes it possible to add executable modules to any apps using the library, meaning arbitrary code could be executed within them. An attacker who has a malware app installed on the victim’s device could steal users’ private information, such as login details, passwords, financial details, and read their mail.
Developers Need to Update, Now.
Google acknowledged and patched the bug on April 6, 2020, rating it an 8.8 out of 10 for severity. However, the patch needs to be pushed by the developers themselves into their respective applications, in order for the threat to fully go away. Check Point researchers decided to randomly select a number of high-profile apps to see which developers actually implemented the patch provided by Google.
Vulnerable Apps Confirmed
During the month of September 2020, 13% of Google Play applications analyzed by Check Point researchers used the Google Play Core library, where 8% of those applications continued to have a vulnerable version. The following applications are still vulnerable on Android:
· Social – *Viber
· Travel – *Booking
· Business – Cisco Teams
· Maps and Navigation – Yango Pro (Taximeter)
· Dating – Grindr, OKCupid, Bumble
· Browsers – Edge
· Utilities – Xrecorder, PowerDirector
*Prior to this publication, we have notified all Apps about the vulnerability and the need to update the version of the library , in order not to be affected. Further tests show Viber, & Booking updated to the patched versions after our notification.
Attack Chain
Check Point researchers have summed up the attack chain to exploit the vulnerability in four steps.
1. User installs malicious application.
2. Malicious app exploits an application with a vulnerable version of Google Play Core (GPC) library.
3. GPC handles the payload, loads it and executes the attack.
4. Payload can access all of the resources available in the hosting application.
Demonstration on Google Chrome App
To demonstrate targeting a specific application, Check Point researchers took a vulnerable version of the Google Chrome application and created a dedicated payload to grab its bookmarks. The demonstrations shows how someone can grab cookies to use them as a means to Hijack an existing session with 3rd party services, like DropBox. Once a payload is “injected” into Google Chrome, the payload will have the same access as the Google Chrome app to data, such as cookies, history and bookmarks for the data, and password manager as a service.
Quote: Manager of Mobile Research, Aviran Hazum
“We’re estimating that hundreds of millions of Android users are at security risk. Although Google implemented a patch, many apps are still using outdated Play Core libraries. The vulnerability CVE-2020-8913 is highly dangerous. If a malicious application exploits this vulnerability, it can gain code execution inside popular applications, obtaining the same access as the vulnerable application. For example, the vulnerability could allow a threat actor to steal two-factor authentications codes or inject code into banking applications to grab credentials. Or, a threat actor could inject code into social media applications to spy on victims or inject code into all IM apps to grab all messages. The attack possibilities here are only limited by a threat actor’s imagination.”
Response by Google:
Check Point researchers reached out to Google and communicated their research findings. Google responded with: “The relevant vulnerability CVE-2020-8913 does not exist in up-to-date Play Core versions.”
How to Protect Yourself:
Install a mobile threat defense solution. Check Point SandBlast Mobile is a market-leading Mobile Threat Defense (MTD) solution, providing a wide range of capabilities to help secure mobile workforces. SandBlast Mobile provides protection for mobile vectors of attacks, including the download of malicious applications and applications with malware embedded in them.
.JPG)
