Application security specialist Sergey Toshin revealed the finding of a critical vulnerability affecting a wide variety of Android operating system devices. According to the report, the flaw would allow the use of malicious apps to extract sensitive information from legitimate applications installed on exposed devices.
Some details of Toshin’s research were posted on the specialized website TedCrunch.
Tracked as CVE-2020-8913, this is an arbitrary code execution vulnerability in Android Play Core library versions prior to 1.7.2. Threat actors could create malicious applications to perform directory traversation, code execution in legitimate applications, and access to data from other areas of the system.
Two potential malicious scenarios have been detected from the reported vulnerability:
- Incorrectly limiting a path name to a restricted directory
- Inadequate permitting
Because the flaw resides in an operating system library, any legitimate application that depends on the compromised components would be affected, the researcher mentioned. In his proof of concept, Toshin points out that he was able to create an application capable of extracting some details successfully, including browsing history, login cookies, passwords, among other data.
The fault received a score of 8.8 according to the Common Vulnerability Scoring System (CVSS), so it is considered a high security risk. The expert adds that some very popular apps could have been affected without anyone being able to notice. Upon receiving the report, Google acknowledged the flaw and enlisted a fix. The update was released in March 2020 with the release of Play Core Library version 1.7.2.
The expert mentions that the risk of exploitation is high, so users of the operating system are advised to install all updates issued by Play Core. More details are available on the official website of Android developers.
He is a cyber security and malware researcher. He studied Computer Science at Miami and started working as a cyber security analyst in 2008. He is actively working as an cyber security investigator. He also worked for security companies like Cisco. His everyday job includes researching about new cyber security incidents. Also he has deep level of knowledge in enterprise security implementation.