Grindr, OkCupid, Viber million other Android apps are at a security risk: Check Point Research

In September 2020, 13 percent of Google Play applications used this library, and 8 percent of those apps had a vulnerable version. 

 

Viber, Grindr, OkCupid and several other Android apps have been found to be unguarded against the vulnerability CVE-2020-8913. This means, users of these apps, are facing a security risk. The vulnerability "allows Local-Code-Execution (LCE) within the scope of any application that has the vulnerable version of the Google Play Core Library. Code execution is an attacker’s ability to execute arbitrary commands or code," according to security researchers at Check Point Research. The vulnerability was published back in August 2020.

For the uninitiated, the 'Play Core Library' is the app’s runtime interface with the Google Play Store. Some of the actions that can be taken with Play Core include, triggering in-app updates, request in-app reviews, download additional language resources, among others.

As per the researchers (via SandBlast Mobile), in September 2020, 13 percent of Google Play applications used this library, and 8 percent of those apps had a vulnerable version. For perspective, as of the third quarter of 2020, Google Play store had over 2.87 million apps on the platform.

Google patched this vulnerability on 6 April 2020, however, developers are yet to push the patch to their application.

Notably, when a vulnerability is on a server-end, the issue can be patched and applied completely to the affected apps, however, when it's on the client-end, developers of all affected apps needs to get the latest version of the library and apply it to the app.

What is vulnerability CVE-2020-8913?

Before we understand the vulnerability, we need to understand a small part of how mobile applications work.

Every mobile application sandbox has “verified” files from Google Play store and "non-verified" ones. The files that are downloaded from the official source, which in this case is Google Play, go into the verified folder, whereas files that are downloaded from other sources are sent to the non-verified folder. When a file is written to the verified folder, it interacts with the Google Play Core library which loads and executes it.

Another feature is the ability to let other sources push files into the hosting application’s sandbox. Although, these files are pushed only into the non-verified folder, and it is not automatically handled by the library.

"The vulnerability lies within the combination of the two features mentioned above, and also utilizes file traversal, a concept as old as the internet itself. When we combine popular applications that utilize the Google Play Core library, and the Local-Code-Execution vulnerability, we can clearly see the risks. If a malicious application exploits this vulnerability, it can gain code execution inside popular applications and have the same access as the vulnerable application," according to researchers at Check Point.

The vulnerability can cause high risks such as "injecting code into banking applications to grab credentials, while have SMS permissions to steal the Two-Factor Authentication (2FA) codes, Inject code into social media applications to spy on the victim, and use location access to track the device", among others.