Cybercriminals can exploit the at-risk apps to steal login credentials, passwords, financial details, and text messages, says Check Point.

Many applications and products caught with a security vulnerability often require two responses to fully mitigate the flaw. First, the vendor may have to issue a patch to correct the server-side weakness on its end. But then the user or developer of the app might need to apply that patch on the client side. Without that second action, the products remain at risk.

First reported in late August by researchers at Oversecured and since analyzed by cyber threat intelligence provider Check Point, a recent flaw affecting several Android apps points to this patch-applying dilemma.

In its Thursday report “Vulnerability in Google Play Core Library Remains Unpatched in Google Play Applications,” Check Point describes a vulnerability in Google’s Play Core Library, a function used by apps to enable in-app updates, in-app reviews, additional feature modules, and additional language modules. Many popular apps use this library, including Google Chrome, Facebook, Instagram, WhatsApp, and Snapchat.

If exploited, the flaw could allow an attacker to inject malicious code into an app to steal login credentials, two-factor authentication codes, and text messages. Savvy cybercriminals could also inject code into enterprise apps to access corporate resources and social media apps to spy on the user. Google patched this hole on April 6, 2020. But as of the publication of Check Point’s report, several developers have yet to apply the patch on the client side.

Some of the affected apps analyzed by Check Point include Viber, Booking, Cisco Teams, Yango Pro (Taximeter), Moovit, Grindr, OKCupid, Microsoft Edge, Xrecorder, and PowerDirector. After alerting the developers of these apps to the flaw, the Viber and Booking apps have since been patched, according to Check Point. Separate spokespersons for Moovit and Grindr told TechRepublic that their apps have also been patched.

“On the same day that the vulnerability was brought to our attention, our team quickly issued a hotfix to address the issue,” the spokesperson for Grindr said. “As we understand it, in order for this vulnerability to have been exploited, a user must have been tricked into downloading a malicious app onto their phone that is specifically tailored to exploit the Grindr app. As part of our commitment to improving the safety and security of our service, we have partnered with HackerOne, a leading security firm, to simplify and improve the ability for security researchers to report issues such as these.”

With server-side flaws, the weakness is automatically corrected once the vendor applies the proper fix. But with client-side flaws like the ones detected in these Android apps, the developer needs to download the latest version of the Google’s Play Core Library and insert it into the affected app.

To demonstrate how this flaw could be exploited, Check Point said that its researchers used a vulnerable version of the Google Chrome browser and created a dedicated payload to capture its bookmarks. After the payload was injected into Chrome, the attacker would have the same access as the browser to such data as cookies, history, bookmarks, and even the app’s password manager. In this event, someone could grab cookies as a way to hijack a session with a third-party service such as Dropbox.

“We’re estimating that hundreds of millions of Android users are at security risk,” Check Point’s manager of mobile research, Aviran Hazum, said in a press release. “Although Google implemented a patch, many apps are still using outdated Play Core libraries. The vulnerability CVE-2020-8913 is highly dangerous. If a malicious application exploits this vulnerability, it can gain code execution inside popular applications, obtaining the same access as the vulnerable application.”

All Android app developers who use Google’s Play Core Library are urged to update Play Core to version 1.7.2 or later. Android users should consider installing security software on their device. Naturally, Check Point recommends its own SandBlast Mobile app, but you’ll find other security apps in Google Playfrom a variety of reputable and reliable vendors.

Android phone attack diagram