Some of the popular dating, travel and video calling apps on Google Play Store are vulnerable to a known bug CVE-2020-8913, which can be exploited by hackers and can inject malicious codes as well as steal personal information or spy on users, researchers at Check Point found. It is found to be in the Google Play Core library that is used by app developers to send updates with new features to their respective apps on Android phones.
Apps such as Bumble, OkCupid, Cisco Teams, Yango Pro, Edge, Xrecorder, PowerDirector, and Grindr can affect millions of Android phones users.
If not fixed, they can wipe clean all sensitive information such as login details, passwords, financial details from the applications on the phone.
The bug was discovered several months ago by researchers at Oversecured and they notified Google to kill the bug in the Play Core library and the company duly updated the library.
An advisory was sent to all application developers to upgrade to the latest version of the Play core library but very few such as Viber and Booking have complied with the request, while Cisco Webex Teams, Ynago Pro, Grindr, OkCupid, Bumble, Edge, Xrecorder and PowerDirector, and many other, which form 8% of the total apps on Google Play Store are still using the old Play Core library with vulnerabilities.
Aviran Hazum, Manager of Mobile Research, Check Point, said “We’re estimating that hundreds of millions of Android users are at a security risk. Although Google implemented a patch, many apps are still using outdated Play Core libraries. The vulnerability CVE-2020-8913 is highly dangerous. If a malicious application exploits this vulnerability, it can gain code execution inside popular applications, obtaining the same access as the vulnerable application. For example, the vulnerability could allow a threat actor to steal two-factor authentication codes or inject code into banking applications to grab credentials. Or, a threat actor could inject code into social media applications to spy on victims or inject code into all IM apps to grab all messages. The attack possibilities here are only limited by a threat actor’s imagination.”