Android security bug let malicious apps siphon off private user data

guest · Aug 28, 2020

Android security bug let malicious apps siphon off private user data
August 28, 2020
https://techcrunch.com/2020/08/28/android-bug-apps-data/?web_view=true

A security vulnerability in Android could have allowed malicious apps to siphon off sensitive data from other apps on the same device.

App security startup Oversecured found the flaw in Google’s widely used Play Core library, which lets developers push in-app updates and new feature modules to their Android apps, like language packs or game levels.
A malicious app on the same Android device could exploit the vulnerability by injecting malicious modules into other apps that rely on the library to steal private information, like passwords and credit card numbers, from inside the app.

Sergey Toshin, founder of Oversecured, told TechCrunch that exploiting the bug was “pretty easy.”
Click to expand...

Toshin said the proof-of-concept app was able to steal a victim’s browsing history, passwords and login cookies.
But Toshin said the bug also affected some of the most popular apps in the Android app store.

Google confirmed the bug, rated 8.8 out of 10.0 for severity, is now fixed. “We appreciate the researcher reporting this issue to us, and as a result it was patched in March,” said a Google spokesperson.
Click to expand...

Oversecured: Oversecured automatically discovers persistent code execution in the Google Play Core Library

The Google Play Core Library is a popular library for Android that allows updates to various parts of an app to be delivered at runtime without the participation of the user, via the Google API.
The vulnerability we discovered made it possible to add executable modules to any apps using the library, meaning arbitrary code could be executed within them.
Click to expand...

guest · Dec 3, 2020

Google Play Apps Remain Vulnerable to High-Severity Flaw
December 3, 2020
https://threatpost.com/google-play-apps-remain-vulnerable-to-high-severity-flaw/161785/

Researchers are warning that several popular Google Play applications – including mobile browser app Edge and business app Cisco Teams – have yet to push out an important update addressing a high-severity vulnerability in the Google Play Core Library.

The vulnerability exists in Google Play Core Library, which is utilized by various popular applications like Google Chrome, Facebook and Instagram.
The vulnerability (CVE-2020-8913) in the Google Play Core Library is a local, arbitrary code execution issue in the SplitCompat.install endpoint in of Android’s Play Core Library (in versions prior to 1.7.2). The flaw, which ranks 8.8 out of 10 on the CVSS v3 scale, making it high severity, was previously disclosed in late August.
Click to expand...

“Unlike server-side vulnerabilities, where the vulnerability is patched completely once the patch is applied to the server, for client-side vulnerabilities, each developer needs to grab the latest version of the library and insert it into the application,” said Aviran Hazum and Jonathan Shimonovich, security researchers with Check Point Research on Thursday.

Researchers said they reached out to Google with their findings. Google responded in a statement: “The relevant vulnerability CVE-2020-8913 does not exist in up-to-date Play Core versions.” Application developers are urged to update to Android’s Play Core Library version 1.7.2.
Click to expand...

Check Point Research: Vulnerability in Google Play Core Library Remains Unpatched in Google Play Applications

A new vulnerability for the Google Play Core Library was published in late August, which allows Local-Code-Execution (LCE) within the scope of any application that has the vulnerable version of the Google Play Core Library.
In this paper, we analyze the impact and magnitude of this vulnerability from a security perspective.
Click to expand...

Log in or Sign up

Android security bug let malicious apps siphon off private user data

guest Guest

guest Guest

Log in or Sign up

Android security bug let malicious apps siphon off private user data

guest Guest

guest Guest

Useful Searches