Viber, Grindr, OkCupid, and several other Android apps are unguarded against the vulnerability of CVE-2020-8913. This means users of these apps are facing a security risk. The vulnerability “allows Local-Code-Execution (LCE) within the scope of any application that has the vulnerable version of the Google Play Core Library. Code execution is an attacker’s ability to execute arbitrary commands or code,” according to security researchers at Check Point Research. The vulnerability was published back in August 2020.
The ‘Play Core Library’ is the app’s runtime interface with the Google Play Store for the uninitiated. Some of the actions that can be taken with Play Core include triggering in-app updates, request in-app reviews, and downloading additional language resources.
As per the researchers (via SandBlast Mobile), in September 2020, 13 percent of Google Play applications used this library, and 8 percent of those apps had a vulnerable version. For perspective, as of the third quarter of 2020, the Google Play store had over 2.87 million apps on the platform.
Google patched this vulnerability on 6 April 2020; however, developers cannot push the patch to their application.
Notably, when a vulnerability is on a server-end, the issue can be patched and applied completely to the affected apps; however, developers of all affected apps need to get the latest version when it’s on the client-end of the library and apply it to the app.
What is vulnerability CVE-2020-8913?
Before we understand the vulnerability, we need to understand a small part of how mobile applications work.
Every mobile application sandbox has “verified” files from the Google Play store and “non-verified” ones. The files that are downloaded from the official source, which is Google Play, go into the verified folder, whereas files that are downloaded from other sources are sent to the non-verified folder. When a file is written to the verified folder, it interacts with the Google Play Core library, which loads and executes it.
Another feature is the ability to let other sources push files into the hosting application’s sandbox. These files are pushed only into the non-verified folder, and the library does not automatically handle it.
“The vulnerability lies within the combination of the two features mentioned above and also utilizes file traversal, a concept as old as the internet itself. When we combine popular applications that utilize the Google Play Core library and the Local-Code-Execution vulnerability, we can clearly see the risks. If a malicious application exploits this vulnerability, it can gain code execution inside popular applications and have the same access as the vulnerable application,” according to researchers at Check Point.
The vulnerability can cause high risks such as “injecting code into banking applications to grab credentials, while having SMS permissions to steal the Two-Factor Authentication (2FA) codes, Inject code into social media applications to spy on the victim, and use location access to track the device”, among others.