Android flaw allows malicious apps to steal data from legitimate apps

Application security specialist Sergey Toshin revealed the finding of a critical vulnerability affecting a wide variety of Android operating system devices. According to the report, the flaw would allow the use of malicious apps to extract sensitive information from legitimate applications installed on exposed devices.

Some details of Toshin’s research were posted on the specialized website TedCrunch.

Tracked as CVE-2020-8913, this is an arbitrary code execution vulnerability in Android Play Core library versions prior to 1.7.2. Threat actors could create malicious applications to perform directory traversation, code execution in legitimate applications, and access to data from other areas of the system.

Esta imagen tiene un atributo ALT vacío; su nombre de archivo es android01092020-1.jpg

Two potential malicious scenarios have been detected from the reported vulnerability:

  • Incorrectly limiting a path name to a restricted directory
  • Inadequate permitting

Because the flaw resides in an operating system library, any legitimate application that depends on the compromised components would be affected, the researcher mentioned. In his proof of concept, Toshin points out that he was able to create an application capable of extracting some details successfully, including browsing history, login cookies, passwords, among other data. 

The fault received a score of 8.8 according to the Common Vulnerability Scoring System (CVSS), so it is considered a high security risk. The expert adds that some very popular apps could have been affected without anyone being able to notice. Upon receiving the report, Google acknowledged the flaw and enlisted a fix. The update was released in March 2020 with the release of Play Core Library version 1.7.2.

The expert mentions that the risk of exploitation is high, so users of the operating system are advised to install all updates issued by Play Core. More details are available on the official website of Android developers.