The security experts from Check Point has warned that developers of many popular Android applications forgot to update one important library and are now vulnerable to attacks.
According to Check Point, about 8 percent of apps in Google Play use old and unsafe versions of the Play Core library. Google created this library, and developers can embed it into their apps to interact with the official Google Play Store. The library is very popular because it can be used to download and install updates from the Play Store, modules, language packs, and even other applications.
This bug could be exploited by a malicious application installed on the user’s device and with its help injecting dangerous code into other applications, as well as stealing confidential data, including passwords, photos, 2FA codes, and much more.
The vulnerability has been identified as CVE-2020-8913 and has been known since August. Google has fixed the bug with the Play Core 1.7.2 release in March 2020. However, according to Check Point, not all developers have updated the Play Core library in time, and now their users are at risk.
In a scan in September, 13 percent of apps in the Play Store used the Play Core library, only 5 percent used an updated version, while 8 percent used a version that was more than six months old and affected by the vulnerability.
Check Point researchers write that they notified the authors of all vulnerable applications about the problem, and only some of them fixed the issue.