PSA: A ‘Fixed’ Android Threat Remains In Hundreds Of Apps

An investigation into Android security by Check Point Software Technologies has uncovered hundreds of apps on the Google Play Store that are vulnerable to attack. This includes high-profile apps like Facebook, Messenger, Yahoo, Wechat and Instagram.

Researchers at Check Point Software Technologies scanned the Google Play Store for known patterns associated with vulnerable versions of open-source code. It discovered three vulnerabilities of ‘critical severity’ lurking in hundreds of popular apps.

What’s surprising is that these vulnerabilities are known to have been fixed. Yet they remain present in many Android apps due to the use of outdated code – and updating to the latest version doesn’t help matters. As the report explains:

The common perception consumers have around vulnerabilities is that as soon as they are discovered, they’re immediately patched, so by updating their device with the latest software, they are keeping it secure. In reality, long-known vulnerabilities may persist even in apps recently published on Google Play.

[These] three vulnerabilities, all fixed over two years ago, make hundreds of apps potentially vulnerable to remote code execution.

Popular apps known to be affected include:

  • LiveXLive
  • Moto Voice BETA
  • Yahoo! Transit
  • Yahoo! Browser
  • Yahoo! MAP
  • Yahoo! Car Navigation
  • Facebook
  • Messenger
  • SHAREit
  • Mobile Legends: Bang Bang
  • Smule
  • JOOX Music
  • WeChat
  • AliExpress
  • Video MP3 Converter
  • Lazada
  • VivaVideo
  • Retrica
  • TuneIn

According to Check Point Software Technologies, these vulnerabilities could allow hackers to steal and alter posts on Facebook or read messages in WeChat, to give just two examples.

As mentioned above, the problem has to do with outdated, open-source code finding its way into commercial applications. These are typically reusable components written in a low-level language such as C.

While these vulnerabilities are usually found and fixed in open-source projects, their maintainers have no control over apps using these native libraries. Subsequently, a commercial app may keep using the outdated version of the code even years after the vulnerability is discovered.

According to Check Point Software Technologies, there’s not much the end user can do about these vulnerabilities other than follow the usual security precautions and hoping for the best. You can check out the full report below.

[Via Check Point Software Technologies]


Leave a Reply