Some Android apps like Grindr, OkCupid, Bumble etc are vulnerable to major security flaw, says Check Point
There is a major security flaw rooted in the Google Play Core library that is still plaguing many Android apps according to Check Point Software Technologies. Popular apps like Bumble, Grindr, OkCupid, Cisco Teams etc are a part of this vulnerable list going by a recent report.
As per the analysis done by the security researchers at Check Point, the bug that Google had fixed in April 2020 is still affecting many apps and the app developers have not fixed the flaw on their end yet. This is putting millions of users at risk.
The vulnerability is called CVE-2020-8913 and it allows hackers to inject a malicious code into vulnerable apps and then execute the code to get access to all the resources in the app. It is then used to steal sensitive data from other apps on the same device, said Check Point.
The vulnerability puts users’ private data like login details, mail ID, passwords, financial details etc at risk and exposed for potent cyber theft.
CVE-2020-8913 is rooted in Google’s Play Core library that is widely used. The Play Core library allows developers to push in-app updates to the apps. When Google had fixed the problem earlier in April this year, developers had to install a new Play Core library to make the CVE-2020-8913 vulnerability go away.
However, the vulnerability remained and was reported by researchers at Oversecured in August. Google rated the flaw severity at an 8.8 on 10.
CVE-2020-8913 makes it possible for hackers to add executable modules to any apps using the Play Core library. So, arbitrary codes can be executed with malicious intent. A malware app can be installed on a device this way to steal private information and also read mails.
Many popular apps appear to have the CVE-2020-8913 vulnerability including Grindr, Bumble, Viberm OKCupid, Cisco Teams, PowerDirector, Yango Pro, Edge, Xrecorder etc. In September, 13% of the apps on Google Play that were using Google’s Play Core library, as analysed by Check Point and out of these 8% were still using the vulnerable version. Viber and Booking have now updated to new patched versions but the other apps have not yet.
For the threat to actually be removed, developers need to push the patch themselves. The security firm has notified all the apps about the CVE-2020-8913 vulnerability and has informed them that they need to update the Play Core library to be safe.