Google Play bug makes some Android apps vulnerable to data theft

A flaw in the Android operating system appears to have left several Android applications vulnerable to data theft by attackers. The bug itself has since been patched by Google, but not all developers have modified their apps.

Research by security researcher Check Point reveals that it is the bug identified as CVE-2020-8913. This is a bug that was in the Google Play Core Library and that was previously discovered. Google already fixed the problem in April, but developers need to process the custom code in their applications themselves to no longer be susceptible to the issues.

Check Point found that a number of Android applications are still struggling with the vulnerability. This includes Microsoft’s Edge browser, which has been downloaded millions of times. Shortly before Check Point published its research, apps such as Viber, Booking, Grindr and OKCupid were also still vulnerable. It is not clear how many apps still contain the vulnerability, but an analysis in September indicated 8 percent of the scanned Android apps.

The bug in the Google Play Core Library allowed attackers to add their own code to applications, posing as verified code that can normally only come from Google servers. For example, by executing the code, confidential data can be stolen from applications. When developers update their apps and use the improved Google Play Core Library, adding such a payload will no longer be possible.