Threat Watch

Some Android Apps Still Vulnerable After Patch Released

There are still some Android Apps that total over 250 million downloads that are vulnerable to a flaw that was patched in August of this year. In August, mobile app security company Oversecured found a vulnerability in the Google Play Core Library that would allow malicious apps to execute code in legitimate apps. The malicious code would then run under the legitimate app’s security permissions, allowing it to monitor and steal data that is entered into it. The vulnerable library is used to update an app’s components at runtime through the Google application program interface (API). The library is used by many popular apps including Chrome, Edge, Facebook, Instagram, WhatsApp, and Snapchat—all of those top apps have been updated with the fix to remove the bug, while other apps have not. The vulnerability is tracked as CVE-2020-8913 and is rated as 8.8 out of 10 on the severity scale. It was fixed in the Google Play Core Library version 1.7.2, but app developers had to update the library and build a new version of their app to take advantage of the fix. Researchers from Check Point Research have discovered that there are still millions of app installs using the vulnerable library three months later. The vulnerable library cannot be auto-updated by Google and must be updated by the app developer themselves. Some of the vulnerable apps include Aloha, Walla! Sports, XRecorder, Moovit, Hamal, IndiaMART, Edge, Grindr, Yango Pro (Taximeter), PowerDirector, OkCupid, Teams, and Bumble. Each of these apps has at least one million downloads with having over 100 Million Downloads.

ANALYST NOTES

With the primary use of this flaw being to steal data, passwords or to perform a malicious activity, users of these apps are recommended to use passwords that are unique to the login so that they cannot be reused in credential stuffing attacks. It is also recommended that, until the publisher updates the app, the app should be removed from a user’s device to prevent data harvesting. App developers should constantly be watching for updates to the libraries used in their source code so that any security flaws can be patched.

Source Article: https://www.bleepingcomputer.com/news/security/android-apps-with-250m-downloads-still-vulnerable-to-patched-bug/