Android apps with millions of downloads are vulnerable to serious attacks
Flaw allows malicious apps to steal credentials, private messages, and much more. …
reader comments
58 with 50 posters participating
Android apps with hundreds of millions of downloads are vulnerable to attacks that allow malicious apps to steal contacts, login credentials, private messages, and other sensitive information. Security firm Check Point said that the Edge Browser, the XRecorder video and screen recorder, and the PowerDirector video editor are among those affected.
The vulnerability actually resides in the Google Play Core Library, which is a collection of code made by Google. The library allows apps to streamline the update process by, for instance, receiving new versions during runtime and tailoring updates to an individual app’s specific configuration or a specific phone model the app is running on.
A core vulnerability
In August, security firm Oversecured disclosed a security bug in the Google Play Core Library that allowed one installed app to execute code in the context of any other app that relied on the vulnerable library version.
The vulnerability stemmed from a directory traversal flaw that allowed untrusted sources to copy files to a folder that was supposed to be reserved only for trusted code received from Google Play. The vulnerability undermined a core protection built into the Android operating system that prevents one app from accessing data or code belonging to any other app.
Here’s an image that illustrates how an attack might work:
Google patched the library bug in April, but for vulnerable apps to be fixed, developers must first download the updated library and then incorporate it into their app code. According to research findings from
Continue reading – Article source