Security News > 2020 > December > Many Android Apps Expose Users to Attacks Due to Failure to Patch Google Library
A vulnerability in the Google Play Core Library continues to impact many applications several months after official patches were released.
The Google Play Core Library allows Android developers to deliver updates to their applications at runtime, via the Google API, without requiring interaction from the user.
Google Chrome, Facebook, Snapchat, and WhatsApp are only some of the apps that use this library.
Tracked as CVE-2020-8913 and addressed in March 2020, the vulnerability is a path traversal that could result in local code execution "Within the scope of any application that has the vulnerable version of the Google Play Core Library," Check Point explains.
An analysis performed by Check Point revealed that 13% of Google Play applications used the library, and that 8% of them had a vulnerable version.
News URL
Related news
- Google's New Restore Credentials Tool Simplifies App Login After Android Migration (source)
- CISA Urges Agencies to Patch Critical "Array Networks" Flaw Amid Active Attacks (source)
- SpyLoan Android malware on Google play installed 8 million times (source)
- 8 Million Android Users Hit by SpyLoan Malware in Loan Apps on Google Play (source)
- Vanir: Open-source security patch validation for Android (source)
- Ongoing phishing attack abuses Google Calendar to bypass spam filters (source)
- CISA orders agencies to patch BeyondTrust bug exploited in attacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-08-12 | CVE-2020-8913 | Path Traversal vulnerability in Android Play Core Library A local, arbitrary code execution vulnerability exists in the SplitCompat.install endpoint in Android's Play Core Library versions prior to 1.7.2. | 8.8 |