Popular applications such as Grindr, OkCupid, Cisco Teams and more on the official Google Play Store continue to be vulnerable to the known vulnerability CVE-2020-8913, and concluding that hundreds of millions of Android users are still at a significant security risk, security researchers at Check Point Research revealed on Tuesday.
Initially reported in late August by researchers at Oversecured, the vulnerability allows a threat actor to inject malicious code into vulnerable applications, granting access to all the same resources of the hosting application. Such a malicious app can siphon off sensitive data from other apps on the same device.
The researchers randomly selected a number of high-profile apps to confirm the existence of vulnerability CVE-2020-8913 and the bug was confirmed in popular apps, including Grindr, Bumble, OKCupid, Cisco Teams, Yango Pro, Edge, Xrecorder, PowerDirector among others.
“We’re estimating that hundreds of millions of Android users are at a security risk. Although Google implemented a patch, many apps are still using outdated Play Core libraries. The vulnerability CVE-2020-8913 is highly dangerous. If a malicious application exploits this vulnerability, it can gain code execution inside popular applications, obtaining the same access as the vulnerable application,” Aviran Hazum, Manager of Mobile Research, Check Point, said in a statement.
“For example, the vulnerability could allow a threat actor to steal two-factor authentication codes or inject code into banking applications to grab credentials. Or, a threat actor could inject code into social media applications to spy on victims or inject code into all IM apps to grab all messages. The attack possibilities here are only limited by a threat actor’s imagination.”
The flaw is rooted in Google’s widely used Play Core library, which lets developers push in-app updates and new feature modules to their Android apps. The vulnerability makes it possible to add executable modules to any apps using the library, meaning arbitrary code could be executed within them. An attacker who has a malware app installed on the victim’s device could steal users’ private information, such as login details, passwords, financial details, and read their mail.