Patches for a flaw (CVE-2020-8913) in the Google Play Core Library have not been implemented by several popular Google Play apps, including Edge.
Researchers are warning that several popular Google Play applications including mobile browser app Edge, have yet to push out an important update addressing a high-severity vulnerability in the Google Play Core Library.
The vulnerability exists in Google Play Core Library, which is utilised by various popular applications like Google Chrome, Facebook & Instagram.
This is essentially a gateway for interacting with Google Play services from within the application itself, allowing developers to carry out various processes like dynamic code loading, delivering locale-specific resources & interacting with Google Play’s review mechanisms.
The vulnerability (CVE-2020-8913) in the Google Play Core Library is a local, arbitrary code execution issue in the SplitCompat.install endpoint in of Android’s Play Core Library (in versions prior to 1.7.2).
The flaw, which ranks 8.8 out of 10 on the CVSS v3 scale, making it high severity, was previously disclosed in late Aug. Google patched the flaw on April 6. However, in a report issued Thurs. by Check Point researchers warned that the patch still needs to be pushed out by developers for several applications, & potentially still impacts 100s of millions of Android users.
“Unlike server-side vulnerabilities, where the vulnerability is patched completely once the patch is applied to the server, for client-side vulnerabilities, each developer needs to grab the latest version of the library & insert it into the application,” said Aviran Hazum & Jonathan Shimonovich, security researchers with Check Point Research on Thurs..
As of Sept., researchers had found that 13% of Google Play applications used the Google Play Core Library, & 8% of those apps had a vulnerable version.
These included several popular apps, such as social app Viber, travel app Booking, business app Cisco Teams, navigation apps Yango Pro and Movit, dating apps Grindr, OKCupid & Bumble, mobile browser app Edge & utility apps Xrecorder & PowerDirector.
Some have produced patches, including, as of Dec. 4, Bumble. As of Dec. 2, Cisco has also addressed this vulnerability in the latest version of Cisco Webex Teams, released in the Google Play Store, said a Cisco spokesperson.
“Prior to this publication, we have notified all apps about the vulnerability & the need to update the version of the library, in order not to be affected,” commented researchers. “Further tests show Viber & Booking updated to the patched versions after our notification.”
In order to exploit the flaw, an attacker would need to convince a victim to install a malicious application. The malicious app would then exploit one of the applications with a vulnerable version of the Google Play Core Library. The library handles the payload, loads it & executes the attack; the payload can then access all of the resources available in the hosting application.
This flaw “is extremely easy to exploit,” commented researchers. “All you need to do is to create a ‘hello world’ application that calls the exported intent in the vulnerable app to push a file into the verified files folder with the file-traversal path. Then sit back & watch the magic happen.”
The potential impact of an exploit could be serious, researchers outlined. If a malicious application exploits this vulnerability, it can execute code inside popular applications & have the same access as the vulnerable application, they warned.
That could create a number of malicious situations, including attackers injecting code into banking applications to steal credentials & steal 2-factor authentication (2FA) codes, injecting code into enterprise applications to access sensitive corporate resources, or injecting code into instant-messaging apps to view – & even send – messages on the victim’s behalf.
Researchers explained that they reached out to Google with their findings. Google responded in a statement: “The relevant vulnerability CVE-2020-8913 does not exist in up-to-date Play Core versions.” Application developers are urged to update to Android’s Play Core Library version 1.7.2.