Popular Apps Using Google Play Core Library Susceptible To Data Hijacking Leaving Millions At Risk

Aviran Hazum and Jonathan Shimonovich, of Check Point Research, reported on the Android vulnerability, given CVE-2020-8913, that was patched by Google in April of this year. It is rated as an 8.8 out of 10 on the common vulnerability scoring system (CVSS), and it impacts Android’s Play Core version 1.7.2 and earlier. While the researchers gave a brief overview of how the dangerous attack worked, the most surprising information found was that several apps were not updated to mitigate the vulnerability. These apps, according to the researchers, included the following:

Social – *Viber
Travel – *Booking
Business – ***Cisco Teams
Maps and Navigation – Yango Pro (Taximeter), **Moovit
Dating – **Grindr, OKCupid
Browsers – Edge
Utilities – Xrecorder, PowerDirector

All the companies behind the apps were notified of the vulnerability, and the ones with an asterisk have been patched as of publication (apps with ** or *** were only patched as of this afternoon). However, for all apps to be secure, all apps that use Play Core need to update their Play Core version, so they are no longer vulnerable. This is not something Google can do; it is up to the developers.

Overall, it is impressively bad that companies needed prodding after nearly seven months of a patch being out and three months after information about the vulnerability was posted in the wild. Developers need to be hyper-aware of the tools they use and ones that have vulnerabilities. Moreover, they cannot take a laissez-faire approach to security as that will end poorly for all involved.