Researchers have discovered a critical flaw that exists in the SplitCompat.install endpoint in Android’s Play Core Library. The flaw tracked as CVE-2020-8913 rated 8.8 out of 10 in severities by the industry-standard Common Vulnerability Scoring System (CVSS).

This is a local, arbitrary code execution vulnerability that impacts Android’s Play Core Library versions prior to 1.7.2.

The Play Core Library is the app’s runtime interface with the Google Play Store, it allows to download additional language resources, manage the delivery of feature modules, manage the delivery of asset packs, trigger in-app updates, request in-app reviews.

So, basically, the Google Play Core Library is a gateway for interacting with Google Play Services from within the application itself, starting from dynamic code loading to delivering locale-specific resources, to interacting with Google Play’s review mechanisms.

The flaw was first documented by researchers from Oversecured.

Hundreds of millions of Android users are potentially exposed to the risk of hack due to the use of Android Play Core Library versions vulnerable to CVE-2020-8913.

What happened?

A threat actor could create an apk to target specific application. On installing the apk, the attacker could perform a broad range of malicious activities, including execute code as the targeted application and access the targeted application’s data on the victims’ Android devices.

After further careful research, it emerged that the verified-splits folder contains verified apks with the current app’s signature, which are no longer verified in the future. When a file in that folder starts with a config. prefix, it will be added to the app’s runtime ClassLoader automatically.

Using that weakness, the attacker can create a class implementing e.g. the Parcelable interface and containing malicious code and send their instances to the affected app, meaning the createFromParcel(…) method will be executed in their context during deserialization leading to local code execution.

Affected Applications:

Several popular Android apps are still using vulnerable versions of Google’s app update library that is why millions of users are at a risk of cyber attacks.

The list of vulnerable apps is long and includes OkCupid, MS Edge, Xrecorder, Yango Pro, and PowerDirector, are still vulnerable and can be hijacked to steal sensitive data, such as passwords, financial details, and e-mails.

Since the vulnerability was patched earlier, there is cause for concern because the patch needs to be pushed by the developers into the application. Unlike server-side vulnerabilities, where the vulnerability is patched completely once the patch is applied to the server, for client-side vulnerabilities, each developer needs to grab the latest version of the library and insert it into the application.

Vulnerability Impact:

The impact and magnitude of successful exploitation of this flaw are very serious, attackers can trigger it, they can inject the code into banking applications to grab credentials, and at the same time they have SMS permissions to steal the two-factor authentication (2FA) codes, to spy on chat apps, spy on users’ locations, and tamper with enterprise apps.

The development teams behind some popular apps like Viber, Meetup, Cisco, Grindr, Moovit, Cisco Teams, and Booking.com have updated the library in their apps after being notified by Check Point. But many third-party app developers are yet to update the Play Core library into their apps despite Google addressed the flaw.

Researchers from Check Point reported that out of 13% of Google Play applications 8% were running on a vulnerable variant of the library .

According to check point’s report “Although Google implemented a patch, many apps are still using outdated Play Core libraries. The vulnerability is highly dangerous, and the attack possibilities here are only limited by a threat actor’s imagination.”

Recommendations:

• Users are highly recommended to update their play core library and install updated version of applications.
• Make sure your android device is working on updated version.
• Try to set different password for different application. It is must for security purpose.
• Developers are advised to push the patch parallel in to the application.

Always share file in an encrypted form. It is essential to secure data from third party.