- High profile android apps still exposed to a CVE reported in August, patched in April
- If exploited, attacker can grab credentials, steal 2FA codes, gain access to corporate resources and spy using location access
- Apps vulnerable include : Edge, OKCupid, , **Grindr and ***Cisco teams and more
A new vulnerability for the Google Play Core Library was published late August, given the CVE-2020-8913, which allows Local-Code-Execution (LCE) within the scope of any application that has the vulnerable version of the Google Play Core Library. Code execution is an attacker’s ability to execute arbitrary commands or code.
The Play Core Library is the app’s runtime interface with the Google Play Store. Some of the actions that can be taken with Play Core include the following:
- Download additional language resources
- Manage delivery of feature modules
- Manage delivery of asset packs
- Trigger in-app updates
- Request in-app reviews
The Library is a gateway for interacting with Google Play Services from within the application itself, starting from dynamic code loading (e.g. downloading additional levels only when needed), to delivering locale-specific resources, to interacting with Google Play’s review mechanisms.
What is CVE-2020-8913?
Inside the sandbox of each application, there are 2 folders: one for “verified” files received from Google Play, and another for “non-verified” files. Files downloaded from Google Play services go into the verified folder, while files downloaded from other sources are sent to the non-verified folder. When a file is written to the verified folder, it interacts with the Google Play Core library which loads and executes it.
Another feature, an exported intent, allows other sources to push files into the hosting application’s sandbox. There are some limitations: the file is pushed into the non-verified folder, and it is not automatically handled by the library.
The vulnerability lies within the combination of the two features mentioned above, and also utilizes file traversal, a concept as old as the internet itself.
When we combine popular applications that utilize the Google Play Core library, and the Local-Code-Execution vulnerability, we can clearly see the risks. If a malicious application exploits this vulnerability, it can gain code execution inside popular applications and have the same access as the vulnerable application.
The impact can present several high risks, such as:
- Inject code into banking applications to grab credentials, while have SMS permissions to steal the Two-Factor Authentication (2FA) codes.
- Inject code into Enterprise applications to gain access to corporate resources.
- Inject code into social media applications to spy on the victim, and use location access to track the device.
- Inject code into IM apps to grab all messages, and possibly send messages on the victim’s behalf.
Google patched this vulnerability on April 6, 2020, so why is this still relevant?
The patch needs to be pushed by the developers into the application. Unlike server-side vulnerabilities, where the vulnerability is patched completely once the patch is applied to the server, for client-side vulnerabilities, each developer needs to grab the latest version of the library and insert it into the application.
Since the publication of this vulnerability, we started monitoring vulnerable applications.
During the month of September 2020, 13% of Google Play applications analyzed by SandBlast Mobile used this library, and 8% of those apps had a vulnerable version.
We also compared the September versions to the current versions on Google Play, so that we could see which applications are still affected. To our surprise, we discovered vulnerable applications from a large variety of genres:
- Social – *Viber
- Travel – *Booking
- Business – ***Cisco Teams
- Maps and Navigation – Yango Pro (Taximeter), **Moovit
- Dating – **Grindr, OKCupid
- Browsers – Edge
- Utilities – Xrecorder, PowerDirector
*Prior to this publication, we have notified the Apps about the vulnerability and the need to update the version of the library , in order not to be affected. Viber & Booking updated to the patched versions after our notification.
** 19:00 December 3rd 2020 – Both Grindr & Moovit have updated their versions to the patched version and are no longer vulnerable
*** 19:25 December 3rd 2020 – Cisco teams updated to the latest version and the app is no longer vulnerable
How to protect yourself:
Check Point SandBlast Mobile is the market-leading Mobile Threat Defense (MTD) solution, providing the widest range of capabilities to help you secure your mobile workforce.
SandBlast Mobile provides protection for all mobile vectors of attack, including the download of malicious applications and applications with malware embedded in them. To learn more about how you can protect yourself from mobile malware, please check out SandBlast Mobile.