Infosec bods from Check Point have discovered that popular apps are still running outdated versions of Google’s Play Core library for Android - versions that contained a remote file inclusion vulnerability.
While Google patched the vuln in April, long before its public disclosure, Check Point found in recent research that it was still present in some Android apps.
These included Cisco Teams, dating apps such as Grindr, OKCupid and Bumble, and navigation app Moovit among others.
“The vulnerability allows a threat actor to inject malicious code into vulnerable applications, granting access to all the same resources on the user’s phone as the hosting application,” said Check Point in a statement.
The vuln, CVE-2020-8913, was first uncovered in August by researchers at Oversecured. They found that the Play Core Library, an in-app update and streamlining feature offered to Android devs, could be abused to “add executable modules to any apps using the library”.
Aviran Hazum, Check Point’s mobile research manager, said in a statement: “Although Google implemented a patch, many apps are still using outdated Play Core libraries. The vulnerability CVE-2020-8913 is highly dangerous. If a malicious application exploits this vulnerability, it can gain code execution inside popular applications, obtaining the same access as the vulnerable application... a threat actor could inject code into social media applications to spy on victims or inject code into IM apps to grab all messages. The attack possibilities here are only limited by a threat actor’s imagination.”
The mobile app security firm that discovered the flaw added that it could also lead to leaks of users’ "credentials and financial details, including credit card history" as well as "interception and f ..