Research by Check Point has revealed that some app developers have still not patched an exploitable vulnerability that could affect their users.
It was revealed that a flaw in the Google Play Core Library, the runtime interface for apps with the Google Play Store, was still exploitable on certain Android applications due to lax updating practices.
Check Point says that if exploited, an attacker could access private credentials, steal 2FA codes, gain access to corporate resources and use location access to spy on users.
The CVE-2020-8913 vulnerability, which was patched on the 6th April 2020 and published late August, allows “Local-Code-Execution (LCE) within the scope of any application that has the vulnerable version of the Google Play Core Library,” according to the Check Point research.
“Code execution is an attacker’s ability to execute arbitrary commands or code,” the blog says.
This means a malicious actor could target a specific app that lets them execute code as that app, and access its data held on the user device.
The failure to update is putting millions of users of apps such as dating apps like Bumble, PowerDirector and video connection software Cisco Webex teams at risk. Some of these have now been fixed since Check Point’s research, but others are still vulnerable.
Aviran Hazum, Check Point’s manager of mobile research said in a press release: “We’re estimating that hundreds of millions of Android users are at security risk. Although Google implemented a patch, many apps are still using outdated Play Core libraries.
“The vulnerability CVE-2020-8913 is highly dangerous. If a malicious application exploits this vulnerability, it can gain code execution inside popular applications, obtaining the same access as the vulnerable application. For example, the vulnerability could allow a threat actor to steal two-factor authentication codes or inject code into banking applications to grab credentials.
Hazum continued: “Or a threat actor could inject code into social media applications to spy on victims or inject code into all IM apps to grab all messages. The attack possibilities here are only limited by a threat actor’s imagination.”
- Data Protection Summit 2020 | The future of EU data transfers
- State hackers target vaccine ‘cold supply’ distribution network
- Campaigners warn UK-Japan deal undermines data protections
Android vulnerabilities have already been exposed this year, after research by consumer watchdog Which? discovered that up to 40% of Android users were potentially at risk of attacks after their devices lost the protection of security updates.
Analysed data showed that around two in five android device users around the world were no longer receiving the important updates, leaving them open to potential attack.
It was discovered in October this year that Chinese tech giant Huawei had vulnerabilities in its systems so severe that they were withheld from the company by researchers.
A report carried out annually by the UK’s Huawei Cyber Security Evaluation Centre (HCSEC) stated that the vulnerability was flagged as being of ‘national concern’ and Huawei’s software engineering and cybersecurity practices were criticised.
NCSC has advised the Oversight Board that it can continue to provide “only limited assurance in the security of the currently deployed equipment in the UK”.