Grindr, Bumble, OKCupid, Cisco Teams, Yango Pro, Edge, Xrecorder, PowerDirector, and many other popular apps are still vulnerable to a Play Core library flaw that puts hundreds of millions of Android users’ data to risk, research firm Check Point reports. This flaw was patched by Google in April itself, but app developers themselves must install new Play Core library in order to make threat fully go away. All of the above-mentioned apps are still on the old Play Core library version. Viber and Booking apps were also on the old version, but they soon updated their Play Core library, once intimated by Check Point.
Security researchers at Check Point say that these apps — Grindr, Bumble, OKCupid, Cisco Teams, Yango Pro, Edge, Xrecorder, PowerDirector – are still vulnerable to the to the known vulnerability CVE-2020-8913, even after Google released its patch in April. The flaw is rooted in Google’s widely used Play Core library, which lets developers push in-app updates and new feature modules to their Android apps. The vulnerability reportedly allows a threat actor to use these vulnerable apps to siphon off sensitive data from other apps on the same device, stealing users’ private information, such as login details, passwords, financial details, and mail.
Google acknowledged this bug and rated it an 8.8 out of 10 in severity. It has been more than half a year since the patch has been rolled out by the tech giant, but app developers haven’t themselves installed the Play Core library update. Check Point notes that 13 percent of Google Play apps analysed by them in September used the Google Play Core library, and 8 percent of those apps continued to have a vulnerable version. Viber and Booking apps updated to patched versions after Check Point notified them about the vulnerability.
Manager of Mobile Research, Check Point, Aviran Hazum says, “We’re estimating that hundreds of millions of Android users are at security risk. Although Google implemented a patch, many apps are still using outdated Play Core libraries. The vulnerability CVE-2020-8913 is highly dangerous. If a malicious application exploits this vulnerability, it can gain code execution inside popular applications, obtaining the same access as the vulnerable application. For example, the vulnerability could allow a threat actor to steal two-factor authentications codes or inject code into banking applications to grab credentials. Or, a threat actor could inject code into social media applications to spy on victims or inject code into all IM apps to grab all messages. The attack possibilities here are only limited by a threat actor’s imagination.”
All users who have these malicious apps installed on their handsets are putting their sensitive data at risk. Before these apps update their Play Core library, it is recommended to uninstall these apps from your Android phones.
Should the government explain why Chinese apps were banned? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts, Google Podcasts, or RSS, download the episode, or just hit the play button below.