Known as CVE-2020-8913, the flaw endangers many widely-used Android Apps such as Grindr, Cisco Teams, Microsoft Edge, Booking.com, Viber, OkCupid. New Check Point research reveals that many of these high-profile apps are still running the unpatched version of Google Play Core Library. The bug is rated 8.8 out of 10 in terms of severity and could be exploited to harvest sensitive data, including passwords, financial details, and emails.
What is CVE-2020-8913?
According to the official description, the vulnerability could cause local arbitrary code execution due to issues in the SplitCompat.install endpoint in Android’s Play Core Library versions prior to 1.7.2.
A malicious attacker could create an apk which targets a specific application, and if a victim were to install this apk, the attacker could perform a directory traversal, execute code as the targeted application and access the targeted application’s data on the Android device. We recommend all users update Play Core to version 1.7.2 or later, the NVD advisory says.
Google patched the CVE-2020-8913 flaw on April 6, 2020. However, it seems that several high-profile Android apps are still using vulnerable versions of Android’s Play Core Library. Why is that? Since developers need to push the patch into their apps, it is entirely up to the developers when this happens. Unlike server-side flaws, when the patch is applied to the server, client-side flaws require each developer to take action separately. In the case of the CVE-2020-8913 patch, several vendors have ignored the patch.
What are the dangers stemming from an unpatched Google Play Core Library flaw?
“If a malicious application exploits this vulnerability, it can gain code execution inside popular applications and have the same access as the vulnerable application,” Trend Micro says.
Attack scenarios based on this exploit are unlimited, but here are some of the most probable ones:
- Injecting code into banking applications to grab credentials, while having SMS permissions to steal the Two-Factor Authentication (2FA) codes.
- Injecting code into Enterprise applications to obtain access to corporate resources.
- Injecting code into social media applications to spy on victims and using location access to track their devices.
- Injecting code into IM apps to grab all messages and possibly sending messages on the victim’s behalf, Trend Micro researchers warn.
The developers of the vulnerable apps should update and use the patched version of Google Play Core Library to protect their users.
Last month, we warned Android users of a new banking Trojan. Dubbed Ghimob, the malware can spy and harvest data from 153 Android applications in countries such as Brazil, Paraguay, Peru, Portugal, Germany, Angola, and Mozambique.