December 7, 2020 5:54:11 pm
A major security flaw, which is rooted in Google’s Play Core Library, is still plaguing many Android apps, including popular names like Grindr, Bumble, Cisco Teams, OkCupid, according to an analysis done by security researchers at Check Point Software Technologies. The bug, which Google had fixed back in April 2020, is still impacting many apps as the developers are yet to fix the flaw, and consequently million of users are at risk, says Check Point Security Research.
The vulnerability, which is named CVE-2020-8913 allows cyber criminals to inject malicious code into vulnerable apps and then execute this code to gain access to all resources of the hosting app. This can be further be exploited to steal sensitive data from other apps on the same device, according to Check Point. The flaw puts users’ private information, such as login details, passwords, financial details, and mail at risk for cyber theft.
What is vulnerability CVE-2020-8913?
The flaw is rooted in Google’s widely used Play Core library. The library lets developers push in-app updates and new feature modules to their Android apps. Google had fixed the issue in April 2020, developers still need to install new Play Core library in order to make threat fully go away, says Check Point. It was first reported in late August by researchers at Oversecured. Google rated this flaw as an 8.8 out of 10 for severity.
The vulnerability makes it possible to add executable modules to any apps using the library. This means any arbitrary code could be executed within them. An attacker who has a malware app installed on the victim’s device could steal users’ private information, such as login details, passwords, financial details, and read their mail.
Which apps are impacted by CVE-2020-8913?
The firm randomly selected a number of high-profile apps to confirm the existence of vulnerability CVE-2020-8913. Popular apps like Viber, Grindr, Bumble, OKCupid, Cisco Teams, Yango Pro, Edge, Xrecorder, PowerDirector all had the flaw.
During the month of September 2020, 13 per cent of Google Play apps analysed by Check Point researchers used the Google Play Core library, and 8 percent of those applications continued to have a vulnerable version. While Viber and Booking updated to the patched versions, the rest still need to be update.
Check Point says developers need to push the patch themselves in order for the threat to fully go away. It has notified all apps about the vulnerability and the need to update the version of the library, in order not to be affected.