Security News > 2020 > December > Android devs: If you're using the Google Play Core Library, update it against this remote file inclusion CVE. Pronto
Infosec bods from Check Point have discovered that popular apps are still running outdated versions of Google's Play Core library for Android - versions that contained a remote file inclusion vulnerability.
They found that the Play Core Library, an in-app update and streamlining feature offered to Android devs, could be abused to "Add executable modules to any apps using the library".
Aviran Hazum, Check Point's mobile research manager, said in a statement: "Although Google implemented a patch, many apps are still using outdated Play Core libraries. The vulnerability CVE-2020-8913 is highly dangerous. If a malicious application exploits this vulnerability, it can gain code execution inside popular applications, obtaining the same access as the vulnerable application... a threat actor could inject code into social media applications to spy on victims or inject code into IM apps to grab all messages. The attack possibilities here are only limited by a threat actor's imagination."
The Google Play Core Library, as Oversecured summarised it at the vuln's disclosure in August, "Allows updates to various parts of an app to be delivered at runtime without the participation of the user, via the Google API." It also allows app devs to shrink the size of.
While the immediate impact of this should have been low given that Google patched the library months ago, mobile developers who haven't updated their Google Play Core Library implementations since April should do so immediately - and slap themselves on the wrists if they haven't already done that thing.
News URL
Related news
- Crypto-stealing iOS, Android malware found on App Store, Google Play (source)
- SpyLend Android malware downloaded 100,000 times from Google Play (source)
- Google blocked 2.36 million risky Android apps from Play Store in 2024 (source)
- Google Bans 158,000 Malicious Android App Developer Accounts in 2024 (source)
- Google fixes Android kernel zero-day exploited in attacks (source)
- Google Patches 47 Android Security Flaws, Including Actively Exploited CVE-2024-53104 (source)
- Google patches odd Android kernel security bug amid signs of targeted exploitation (source)
- Google Play, Apple App Store apps caught stealing crypto wallets (source)
- Week in review: Exploited 7-Zip 0-day flaw, crypto-stealing malware found on App Store, Google Play (source)
- Google Confirms Android SafetyCore Enables AI-Powered On-Device Content Classification (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-08-12 | CVE-2020-8913 | Path Traversal vulnerability in Android Play Core Library A local, arbitrary code execution vulnerability exists in the SplitCompat.install endpoint in Android's Play Core Library versions prior to 1.7.2. | 8.8 |