Alert! Popular Android apps remain vulnerable to the ancient loophole



[ad_1]

Check Point researchers have issued a warning regarding a number of applications (many of them popular, with millions of unique users) for Android that remain vulnerable to a vulnerability discovered in August this year. The gap itself (CVE-2020-8913) can be found in Google’s Play Core library, which is used by developers to submit new resource modules in their software.

The same library has already fixed the vulnerability from Search Giant, but programmers also need to update their applications with the new version of Play Core, otherwise their users remain exposed to the threats. Criminals who exploit the flaw are able to hack the vulnerable app, take control of various smartphone features, and even steal personal data such as logins and passwords.

According to Check Point, in September, 13% of apps on the Play Store were using Play Core; of that amount, 8% still used the vulnerable edition of the library. The software in question is the following:

  • Viber
  • Reservation
  • Cisco Teams
  • Yango Pro
  • Moovit
  • Grindr
  • OkCupid
  • Bumble
  • Edge
  • XRecorder
  • PowerDirector

All those responsible for these names have been informed by the researchers.

It’s interesting – and scary – to note that we’re not talking about unknown applications or applications designed by small teams. Viber is a major player in the communications industry; Booking is a popular hotel booking platform; Cisco Teams is a product of an IT giant; Moovit is a subsidiary of Intel; Grindr and OkCupid are leaders in the relationship apps segment, and Edge is produced by none other than Microsoft itself.

Whose fault is it?

“It is estimated that hundreds of millions of Android users have their security at risk. Even though Google has implemented a patch, many applications are still using outdated Play Core libraries. The CVE-2020-8913 vulnerability is highly dangerous,” explains Aviran Hazum. research manager for the mobile segment at Check Point.

“She [a vulnerabilidade] it can, for example, allow an attacker to steal double authentication codes or inject codes into banking applications to obtain credentials. Or, run code in social networking apps that allow you to spy on victims or access your messages. The possibilities of attack are limited only by the aggressor’s imagination ”, concludes the executive.

Unfortunately, for now, there isn’t much that the end user can do to protect themselves from such a threat, as the responsibility for the update rests with the developer.

Source: Check Point

Did you like this article?

Subscribe your email to Canaltech to receive daily updates with the latest news from the world of technology.

[ad_2]
Source link