Google Play bug makes some Android apps vulnerable to data theft

A flaw in the Android operating system appears to have left several Android applications vulnerable to attackers stealing data. The bug itself has since been patched by Google, but not all developers have modified their apps.

Ext research by security researcher Check Point securses that it is the error referred to as CVE-2020-8913. It’s a bug that was in the Google Play Core Library and that came to light earlier. Google fixed the problem in April, but developers have to process the custom code in their applications themselves to stop being susceptible to the problems.

Check Point found that a number of Android applications still struggle with the vulnerability. These include Microsoft’s Edge browser, which has been downloaded millions of times. Shortly before Check Point published its research, apps such as Viber, Booking, Grindr and OKCupid were still vulnerable. How many apps currently contain the vulnerability is not clear, but an analysis in September pointed to 8 percent of scanned Android apps.

The Google Play Core Library error allowed attackers to add their own code to applications by posing as verified code that can normally only come from Google servers. For example, by running the code, confidential data can be stolen from applications. When developers update their apps and use the enhanced Google Play Core Library, adding such a payload is no longer possible.