Android apps with hundreds of millions of downloads are vulnerable to attacks that could allow malicious apps to steal contacts, login information, private messages, and other sensitive information. Security firm Check Point said the Edge browser, XRecorder video and screen recorder, and PowerDirector video editor are affected.
In fact, the vulnerability resides in the Google Play Core Library, a code collection created by Google. The library allows apps to streamline the update process, for example by receiving new versions at runtime and adapting updates to the specific configuration of an individual app or a particular phone model on which the app is running.
A core weak point
In August, the security firm Oversecured reported a security bug in the Google Play Core Library that allowed an installed app to execute code in the context of another app that relied on the vulnerable library version.
The vulnerability resulted from a directory browsing bug that allowed untrusted sources to copy files to a folder that should only be reserved for trusted code received from Google Play. The vulnerability undermined a core protection built into the Android operating system that prevents an app from accessing data or code belonging to another app.
Here is a picture that shows how an attack might work:
Google fixed the library bug in April. In order for vulnerable apps to be fixed, developers must first download the updated library and then incorporate it into their app code. According to Check Point research, a non-trivial number of developers continued to use the vulnerable library version.
Check Point researchers Aviran Hazum and Jonathan Shimonovich wrote:
When we combine popular applications that use the Google Play Core library and the local code execution vulnerability, we can clearly see the risks. If a malicious application exploited this vulnerability, it could execute code in popular applications and have the same access as the vulnerable application.
The possibilities are only limited by our creativity. Here are just a few examples:
- Paste code into banking applications to get credentials and at the same time have SMS permissions to steal the 2FA (Two-Factor Authentication) codes.
- Paste code into corporate applications to gain access to corporate resources.
- Paste code into social media applications to spy on victim and use location access to track the device.
- Paste code in IM apps to get all messages and possibly send messages on behalf of the victim.
To see is to believe
To demonstrate an exploit, Check Point used a proof-of-concept app to steal an authentication cookie from an old version of Chrome. With the possession of the cookie, the attacker could then gain unauthorized access to a victim's Dropbox account.
Account takeover exploiting the vulnerability in the Android Play Core Library Code demo.
Check Point identified 14 apps with combined downloads of nearly 850 million that were still vulnerable. Within hours of the release of a report, the security company announced that developers of some of the apps mentioned had released updates that addressed the vulnerability.
The apps that Check Point identified included Edge, XRecorder and PowerDirector, which together have 160 million installations. Check Point did not provide any indication that any of these apps were repaired. Ars asked the developers of all three apps to comment on the report. This post will be updated if they reply.