CVE-2020-8913 Continues to Compromise Apps on the Google Play Store
Previously disclosed on April 6, 2020, CVE-2020-8913 is a local, arbitrary code execution issue in the SplitCombat.install endpoint in Android’s Play Core Library. The flaw ranks 8.8 out of 10 on the CVSS v3 scale, marking it as ‘High Severity.’ The Ciro Library is utilized by various popular application like Google Chrome, Facebook, and Instagram. It acts as a gateway for interacting with Google Play services from within the application itself, allowing developers to carry out various processes like dynamic code loading, delivering locale-specific resources and interacting with Google Play’s review mechanisms.
Google patched the flaw once it was disclosed on April 6 but in a report published by Check Point researchers, they warn that the patch still needs to be pushed out by developers for several applications and may potentially still impact hundreds of millions of Android users. One such application is the mobile browser app Edge. Unlike server-side vulnerability, in which the vulnerability is patched completely once the patch is applied to the server, CVE-2020-8913 is a client-side vulnerability. This means that each developer needs to utilize the latest version of the library and insert the patch into their application.
As of September 2020, researchers found that 13 percent of Google Play applications used the Google Play Core Library and 8 percent of those applications were utilizing a vulnerable version, and therefore exposing their applications to CVE-2020-8913. These include several popular apps, such as social app Viber, travel app Booking, business app Cisco Teams, navigation apps Yango Pro and Movit, dating apps Grindr, OKCupid and Bumble, mobile browser app Edge and utility apps Xrecorder and PowerDirector.
In order to exploit this CVE, an attacker would need to first convince a victim to install a malicious application. That app would then exploit one of the applications previously installed on the victim’s device which was utilizing a vulnerable version of the Google Play Core Library. The library handles the payload, loads it and executes the attack; the payload can then access all the resources available in the hosting application. While the flaw is relatively easy to exploit, the damage caused by it could be devastating. If a malicious application exploits this vulnerability, it can execute code inside popular applications and have the same access as the vulnerable application. That could create a number of malicious situations, including attackers injecting code into banking applications to steal credentials and steal two-factor authentication codes, injecting code into enterprise applications to access sensitive corporate resources, or injecting code into instant-messaging apps to view, and even send, messages on the victim’s behalf.
Sources: