Cisco Teams, Grindr, OkCupid, and many more apps on the official Google Play Store continue to be vulnerable to the known vulnerability called CVE-2020-8913.
- Dating apps like Grindr, OkCupid, and millions of Android apps are at risk due to a patched security bug
- The vulnerability was initially reported in late August by researchers at Oversecured
Popular applications such as Grindr, OkCupid, Cisco Teams and more on the official Google Play Store continue to be vulnerable to the known vulnerability CVE-2020-8913, and concluding that hundreds of millions of Android users are still at a significant security risk, security researchers at Check Point Research revealed on Tuesday.
Initially reported in late August by researchers at Oversecured, the vulnerability allows a threat actor to inject malicious code into vulnerable applications, granting access to all the same resources of the hosting application. Such a malicious app can siphon off sensitive data from other apps on the same device.
The researchers randomly selected a number of high-profile apps to confirm the existence of vulnerability CVE-2020-8913 and the bug was confirmed in popular apps, including Grindr, Bumble, OKCupid, Cisco Teams, Yango Pro, Edge, Xrecorder, PowerDirector among others.
“We’re estimating that hundreds of millions of Android users are at a security risk. Although Google implemented a patch, many apps are still using outdated Play Core libraries. The vulnerability CVE-2020-8913 is highly dangerous. If a malicious application exploits this vulnerability, it can gain code execution inside popular applications, obtaining the same access as the vulnerable application,” Aviran Hazum, Manager of Mobile Research, Check Point, said in a statement.
“For example, the vulnerability could allow a threat actor to steal two-factor authentication codes or inject code into banking applications to grab credentials. Or, a threat actor could inject code into social media applications to spy on victims or inject code into all IM apps to grab all messages. The attack possibilities here are only limited by a threat actor’s imagination.”
The flaw is rooted in Google’s widely used Play Core library, which lets developers push in-app updates and new feature modules to their Android apps. The vulnerability makes it possible to add executable modules to any apps using the library, meaning arbitrary code could be executed within them. An attacker who has a malware app installed on the victim’s device could steal users’ private information, such as login details, passwords, financial details, and read their mail.
Developers need to update to get rid of the security bug
Google acknowledged and patched the bug on April 6, 2020, rating it an 8.8 out of 10 for severity. However, the patch needs to be pushed by the developers themselves into their respective applications, in order for the threat to fully go away.
During the month of September 2020, 13 per cent of Google Play applications analysed by researchers at Check Point used the Google Play Core library, where 8 per cent of those applications continued to have a vulnerable version. The following applications are still vulnerable on Android: Social – Viber, Travel – Booking, Business – Cisco Teams, Maps and Navigation – Yango Pro (Taximeter), Dating – Grindr, OKCupid, Bumble, Browsers – Edge, Utilities – Xrecorder, PowerDirector.
Google’s response to the security bug discovery
Check Point researchers reached out to Google and communicated their research findings. Google responded with: “The relevant vulnerability CVE-2020-8913 does not exist in up-to-date Play Core versions.”