An old bug in the Google Play Store makes approximately 8 percent of Google Play Store apps vulnerable to a security flaw. Security researchers from Check Point said that they found hundreds of apps with millions of downloads that are vulnerable to the said attacks.
According to ZD Net, a bug classified as CVE-2020-8913 makes programs vulnerable and susceptible to falling prey should it be exploited by threat actors or hackers.
The security flaw can be found in the older Play Core Library version, a system that is utilized by many apps today. Among this popular software on the markets are Facebook, Instagram, Google Chrome, WhatsApp, Snapchat, Booking, and Edge.
The Google Play Core Library is responsible for bridging the gap between developers and processes designed for apps, including interactions with the Google Play Store’s review mechanism and for dynamic code loading, reports Threat Post.
In a statement by Check Point security researchers, the bug can reportedly be used to steal personal information, such as Two-Factor Authentication (2FA) codes and location information which can be leveraged to track the victim’s device.
The said code can also inject specific codes to gain access to corporate information, as well as inject codes into various instant messaging apps to obtain all messages, with the hackers posing as the user to send messages to the victim’s contact list.
Although the researchers said the security flaw was already patched in April 2020, the patch was never publicly pushed or rallied for by developers. This puts the respective applications and users at risk for hacks and other similar threats.
The Check Point security researchers emphasized that there is a need for developers to immediately update and install the latest version of the Google Play Core Library into the application, rather than simply letting the patch fix the vulnerability by itself.
Six months after supposedly issuing a patch for the vulnerability, ZD Net states that around 13 percent of apps on the Play Store are still operating with the old library version and only 5 percent have successfully updated to the newer version.
Varying genres of apps continue to be vulnerable to the security flaw, including social, travel, business, maps and navigation, dating, browsers, and utilities. Some of the programs that fall into these categories are the social networking site Viber, dating apps Grindr and OkCupid, and the Edge browser.
Since the blog post’s publication, Grinder, Viber, Booking, Moovit, and Cisco have all updated to the latest versions and are no longer vulnerable to the said threats. However, there is still a large percentage of programs that remain vulnerable, said Check Point.
