Breach Notification , Cybercrime , Fraud Management & Cybercrime

Google Play Source Code Flaw Makes Apps Vulnerable

Check Point: Flaw Could Allow Attackers to Steal Credentials
Google Play Source Code Flaw Makes Apps Vulnerable
The attack chain when CVE-2020-8913 is exploited (Source: Check Point)

A source code flaw in the Google Play store platform could enable attackers to perform remote code execution allowing credential theft on several prominent apps , a new report by security firm Check Point Research finds.

See Also: 2024 Threat Hunting Report: Insights to Outsmart Modern Adversaries

The vulnerability, tracked as CVE-2020-8913, is a code execution flaw in Android's Play Core Library, which permits apps to interact with Google Play Services from within the application itself. Some of these services used by the apps include downloading of additional language resources and receiving app updates.

Check Point researchers note attackers can exploit the flaw to inject malicious code, which will enable attackers to steal banking credentials, two-factor authentication codes and messages from instant messaging apps, as well as spy on the victims. As a result, the researchers note, unpatched apps using Play Core Library will be vulnerable to various attacks.

A Critical Vulnerability

Although Google released patches for the flaw in April, the report notes several app developers have not updated to the latest patch, leaving their apps vulnerable to attacks.

"Since the publication of this vulnerability, we started monitoring vulnerable applications," the report notes. "During the month of September 2020, 13% of Google Play applications analyzed by SandBlast Mobile used this library, and 8% of those apps had a vulnerable version."

Vulnerable apps include messaging app Viber, Cisco Teams, Microsoft Edge and the utilities Xrecorder and PowerDirector, according to the report.

Hacking Google Chrome Apps

The Play Core Library vulnerability was first discovered by security firm Oversecured in August. According to the researchers, if exploited, the vulnerability enables the attackers to perform arbitrary code executions, as well as steal or overwrite arbitrary files in the Google Play Core library’s source code.

"An exploit was written to steal arbitrary files, and a draft report was written to send to Google. Subsequently, the scope for developing the attack was investigated," Oversecured said in its analysis. "As a result, the updated exploit made it possible to substitute executable files and achieve the execution of arbitrary code. The testing took place on the Google Chrome app."

Google considers the vulnerability "highly dangerous," the report notes. "It meant many popular apps, including Google Chrome, were vulnerable to arbitrary code execution," Oversecured said, adding, "This could lead to leaks of users’ credentials and financial details, including credit card history; as well as interception and falsification of their browser history, cookie files, etc."

Mobile App Security

While Google has developed policies and tools to keep these types of malicious apps off the Play store, fraudsters continue to find ways around the protections.

Last month, Google removed two Chinese-made Android apps from the Google Play store after security researchers found they were collecting and possibly leaking data that could have been used to track individuals (see: Google Removes 2 Android Apps That Collected User Data).

On Oct. 21, it was reported that malicious Android apps containing intrusive adware were removed from Google Play store (see: Apps Infected With Adware Found on Google Play Store).


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.