A number of high-profile Android apps are still putting users at risk by failing to update their software, security researchers at Check Point have warned. That’s because the teams behind these apps are still using an old version of the Play Core library. For those who don’t know, this is a resource created by Google that enables a number of key features inside Android apps, including the ability to download resources for additional languages, request in-app reviews from users and trigger in-app updates.
It’s a resource used by a dizzying number of app developers – some estimates suggest around 13 percent of all apps available in the Google Play Store use this code from Google – however, when Google updated the resource to patch a bug back in April 2020, some developers didn’t update their apps with the new version of the Play Core library.
That’s what concerns the team at Check Point. Even if you’ve downloaded new versions of the Android app since April, if the developers haven’t updated their apps to use the new version of the Play Core library, then you’re still relying on systems that are at-risk of being hacked by cyber criminals. And it’s not just small apps that have been highlighted in the concerning new report, apps from the likes of Microsoft, Booking.com and more have been singled-out as not updating to the new version of the Play Core library fast enough.
Check Point Manager of Mobile Research Aviran Hazum said: “We’re estimating that hundreds of millions of Android users are at security risk. Although Google implemented a patch, many apps are still using outdated Play Core libraries.”
MORE LIKE THIS
First Android smartphones to get supercharged Snapdragon 888 processor revealed (and one is coming this month!)
Google patched the Play Core library earlier this year after it was discovered that a flaw in the system, known as CVE-2020-8913, allows criminals to use the Android app format – an APK, or Android Package Kit – to access private data stored on your device. This includes login information, including your passwords. After the hackers have their hands on these, they’re able to login and access your apps, potentially changing your login credentials to lock you out of your own account. This can be used as a ransom.
Not only that, but private messages, including your WhatsApp messages, as well as photos stored on your phone can also be unearthed using the technique, Check Point warns.
In a nutshell – this exploit can allow cyber criminals to rifle through your most intimate messages and photos, and access your private online accounts and banking apps. You really don’t want any of the applications on your smartphone to be harbouring this vulnerability.
Check Point’s Aviran Hazum added: “The vulnerability CVE-2020-8913 is highly dangerous. If a malicious application exploits this vulnerability, it can gain code execution inside popular applications, obtaining the same access as the vulnerable application. For example, the vulnerability could allow a threat actor to steal two-factor authentication codes or inject code into banking applications to grab credentials.
“Or a threat actor could inject code into social media applications to spy on victims or inject code into all IM apps to grab all messages. The attack possibilities here are only limited by a threat actor’s imagination”
According to the research by Check Point, some of the apps impacted by the vulnerability include Booking.com, Moovit, Grindr, OKCupid, Microsoft Edge, Viber, Cisco Teams, and PowerDirector. After alerting the developers to the flaw, the Viber and Booking apps have since been patched, Check Point says.
The rest are still vulnerable. Check Point cautions Android users to investigate in some security software for their devices.