[German]Security researchers from Check Point warn Android users about apps with dangerous vulnerabilities in the Google Play Store. Among the popular but vulnerable apps from the Play Store are the dating app Bumble, the app from tour operator Booking and the Microsoft browser Edge.
Advertising
The warning was emailed directly from Check Point. Their security researchers discovered many unprotected Android apps with serious vulnerabilities. Hackers can use these apps as backdoors to infiltrate smartphones.
Warning from Check Point
The security researchers therefore warn all owners of an Android smartphone about the vulnerable Android apps. The Google Play Store contains eleven apps that have the dangerous vulnerability CVE-2020-8913, which can be exploited as a backdoor. The apps include applications that are popular in Germany, such as those from the tour operator Booking, the conference application Cisco Teams, the Microsoft web browser Edge and the well-known dating apps OKCupid and Bumble. Booking has already released a new version, which should be downloaded urgently. The other providers were also informed by Check Point.
Hackers can use the vulnerability to execute malicious code and thus take full control of the app in question – which also gives them their permissions and access to the smartphone. In this way, personal data can be read and stolen – even from other applications – including access data, passwords, financial information or e-mail information.
Smartphones get infected
The infection of the smartphone proceeds as follows: Users unknowingly install a contaminated app. This in turn sends the malicious code to a vulnerable, installed app. The old Play Core Library installed there executes the payload and thus activates the attack itself. Now the payload can take full control of the app.
Illustration: Graphic shows the simple attack
Advertising
Vulnerability in Google's Play Core Library
The vulnerability is due to a bug in Google's Play Core Library, which allows application developers to apply updates and new features to their applications. Google itself fixed the bug on April 6, 2020 and assigned a priority of 8.8 out of 10 points, but developers must also update their applications to close the gap.
The security researchers at Check Point therefore examined some very popular and widespread apps to check their status. The result is that in September, 13 percent of all applications in the Play Store were using the Play Core Library, and 8 percent of those were still vulnerable to the vulnerability. Due to the continued growth and departures from the Google Play Store catalog, it is not possible to consistently identify an exact number of applications that are affected.
However, as of October 30, with 2,560,000 apps in the store, this would mean 332,800 apps (13 percent) that have the library built in and 26,624 vulnerable apps (8 percent). Prominent apps that are still at risk are Grindr, Bumble, OKCupid, Cisco Teams, Moovit, Yango Pro, Edge, Xrecorder, PowerDirector, Booking and Viber.
Millions of Android users at risk
Christine Schönig, Regional Director Security Engineering CER, Office of the CTO – Check Point Software Technologies GmbH, explains the research: "We estimate that several hundred million Android users are exposed to a threat. Although Google has implemented a patch to fix the bug, some applications still use outdated Play Core libraries. However, the CVE-2020-8913 vulnerability is extremely dangerous as it can take over other apps completely and steal sensitive data. Among other things, a hacker could use it to steal two-factor authentication codes or inject malicious code into banking applications to obtain such credentials. An attacker could also smuggle malicious code into social media applications to spy on users or into intelligence services to retrieve all messages. The possibilities of an attack are limited only by the imagination of cyber criminals. It is therefore essential to install qualified security solutions that nip such attacks in the bud, especially on end devices carrying corporate data.
Using an old, still vulnerable version of Google Chrome, the security researchers also demonstrate the attack and show it in a video.But the browser is now secure. Their goal was to develop a payload that steals bookmarks. In the video, the experts show how a hacker could steal the cookies in order to crack the browser via a third-party application such as Dropbox. If successful, the payload gets the same permissions and access on the smartphone as the browser app and can therefore read cookies, Chrome history or the password manager. Google was contacted and stated: "The affected vulnerability, CVE-2020-8913, does not exist in updated versions of Play Core. An overview of these results can be found here, and all technical details can be found here.
