Google Play continues to make headlines with security problems in its store. The latest issue is a doozy, affecting 14 apps with millions of downloads.
Android’s Google Play store has been in the news numerous times over the last few months. Each time has been due to some security vulnerability or malicious app posing as legitimate. Last week it was revealed that Google Play had a flaw in one of its core libraries which allowed an installed app to execute code in the context of any other app that relied on the vulnerable library version. This flaw actually undermines one of Android’s core protections which prevents one app from accessing code or data belonging to a different app.
Google actually patched this flaw back in April, but the fix meant that developers would have to download the updated library and then incorporate it into their code. Unfortunately, many developers did not do this, which leads to the question: Why didn’t this part happen? There are 14 affected apps with almost 850 million downloads, and any of the users could have their personal information exposed. So, again, why did this not happen?
There are actually three possibilities. First, Google never notified developers that this was the process to fix it (unlikely), devs couldn’t fit the process into their already jam-packed calendar of projects (possible), or devs couldn’t get the approval from management to make it a priority and they were told to fix it later (probable). Whatever the reason, the affected apps are as follows:
Name Version Download Count
Viber *14.1.0.16 500,000,000
Booking.com *24.8.2 100,000,000
Aloha 2.23.0 1,000,000
Walla! Sports 1.8.3.1 100,000
XRecorder 1.4.0.3 100,000,000
Moovit 5.56.0.459 50,000,000
Hamal 2.2.2.1 1,000,000
IndiaMART 12.7.4 10,000,000
Edge 45.09.4.5083 10,000,000
Grindr 6.32.0 10,000,000
Yango Pro (Taximeter) 9.56 5,000,000
PowerDirector 7.5.0 50,000,000
OkCupid 47.0.0 10,000,000
Teams(Cisco) 40.10.1.274 1,000,000
From ArsTechnica:
Check Point researchers Aviran Hazum and Jonathan Shimonovich wrote:
“When we combine popular applications that utilize the Google Play Core library, and the Local-Code-Execution vulnerability, we can clearly see the risks. If a malicious application exploits this vulnerability, it can gain code execution inside popular applications and have the same access as the vulnerable application.
The possibilities are limited only by our creativity. Here are just a few examples:
-Inject code into banking applications to grab credentials, and at the same time have SMS permissions to steal the Two-Factor Authentication (2FA) codes.
-Inject code into Enterprise applications to gain access to corporate resources.
-Inject code into social media applications to spy on the victim, and use location access to track the device.
-Inject code into IM apps to grab all messages, and possibly send messages on the victim’s behalf.”
Security is fast becoming inherently necessary. While the apps listed above may not be business-related, that doesn’t mean that businesses shouldn’t care. If any of their employees are users of these apps, then their internal systems are at risk every time an affected employee connects their phone or other mobile device to the business WiFi. Once connected to that network, a bad actor can get from their device to business internal systems and wreak havoc. Not only that, but this particular flaw has the capability to expose credentials, so now attackers don’t even have to wait for someone to get to the office, they can just log in remotely and steal what they want without ever raising a flag.
This is why we always say to keep security patches updated, to stay on top of known vulnerabilities and bugs. Fixing those problems as early as possible not only limits the extent of the problem, but it’s cheaper to fix and the ramifications are fewer. When you sit on a known vulnerability without making a move to fix it, your business becomes more and more liable for problems as time goes on. If you’re curious how expensive that can get, just ask Capital One, which paid $80 million in regulatory fines alone.
While the original flaw in this scenario lies on the shoulders of Google, once the fix was found, businesses should have taken immediate action. The ramifications from this are yet to be seen, but it’s probably not going to be pretty. Don’t fall into this trap, and if you can’t find the time for your own devs to do these updates, hire an expert!