Google Play Source Code Flaw Makes Apps VulnerableCheck Point: Flaw Could Allow Attackers to Steal Credentials
A source code flaw in the Google Play store platform could enable attackers to perform remote code execution allowing credential theft on several prominent apps , a new report by security firm Check Point Research finds.
The vulnerability, tracked as CVE-2020-8913, is a code execution flaw in Android's Play Core Library, which permits apps to interact with Google Play Services from within the application itself. Some of these services used by the apps include downloading of additional language resources and receiving app updates.
Check Point researchers note attackers can exploit the flaw to inject malicious code, which will enable attackers to steal banking credentials, two-factor authentication codes and messages from instant messaging apps, as well as spy on the victims. As a result, the researchers note, unpatched apps using Play Core Library will be vulnerable to various attacks.
A Critical Vulnerability
Although Google released patches for the flaw in April, the report notes several app developers have not updated to the latest patch, leaving their apps vulnerable to attacks.
"Since the publication of this vulnerability, we started monitoring vulnerable applications," the report notes. "During the month of September 2020, 13% of Google Play applications analyzed by SandBlast Mobile used this library, and 8% of those apps had a vulnerable version."
Vulnerable apps include messaging app Viber, Cisco Teams, Microsoft Edge and the utilities Xrecorder and PowerDirector, according to the report.
Hacking Google Chrome Apps
The Play Core Library vulnerability was first discovered by security firm Oversecured in August. According to the researchers, if exploited, the vulnerability enables the attackers to perform arbitrary code executions, as well as steal or overwrite arbitrary files in the Google Play Core library’s source code.
"An exploit was written to steal arbitrary files, and a draft report was written to send to Google. Subsequently, the scope for developing the attack was investigated," Oversecured said in its analysis. "As a result, the updated exploit made it possible to substitute executable files and achieve the execution of arbitrary code. The testing took place on the Google Chrome app."
Google considers the vulnerability "highly dangerous," the report notes. "It meant many popular apps, including Google Chrome, were vulnerable to arbitrary code execution," Oversecured said, adding, "This could lead to leaks of users’ credentials and financial details, including credit card history; as well as interception and falsification of their browser history, cookie files, etc."
Mobile App Security
While Google has developed policies and tools to keep these types of malicious apps off the Play store, fraudsters continue to find ways around the protections.
Last month, Google removed two Chinese-made Android apps from the Google Play store after security researchers found they were collecting and possibly leaking data that could have been used to track individuals (see: Google Removes 2 Android Apps That Collected User Data).
On Oct. 21, it was reported that malicious Android apps containing intrusive adware were removed from Google Play store (see: Apps Infected With Adware Found on Google Play Store).