fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Android Apps With 200 Million Installs Vulnerable To Security Bug

Android Apps With 200 Million Installs Vulnerable To Security Bug

Android apps with over 250 million downloads are still susceptible to a severe vulnerability in a Google library that was patched in August 2020.

In August, mobile app security company Oversecured discovered a vulnerability in the Google Play Core Library that allowed malicious applications to execute code in legitimate apps.

These malicious executables would then run under the legitimate app’s security permissions, allowing it to monitor and steal data being entered into the app or transmitted by it.

This vulnerable library is used to update an app’s components at runtime through the Google API. This library is used by many popular apps, including Chrome, Edge, Facebook, Instagram, WhatsApp, and Snapchat.

Tracked as CVE-2020-8913, the vulnerability was assigned an 8.8 (High) rating and was fixed by Google in Google Play Core Library version 1.7.2.

Many apps continue to use a vulnerable version

Researchers from Check Point Research have discovered that there are still apps with millions of installs using the vulnerable library over three months later.

Also Read: A Look at the Risk Assessment Form Singapore Government Requires

“Since the publication of this vulnerability, we started monitoring vulnerable applications. During the month of September 2020, 13% of Google Play applications analyzed by SandBlast Mobile used this library, and 8% of those apps had a vulnerable version,” Check Point Research stated in their report.

This is worrisome, as according to the researchers, the Google Play Core Library vulnerability is trivial to exploit

“All you need to do is to create a “hello world” application that calls the exported intent in the vulnerable app to push a file into the verified files folder with the file-traversal path. Then sit back and watch the magic happen,” Check Point explains.

CVE-2020-8913 attack flow
CVE-2020-8913 attack flow
Source: Check Point Research

To illustrate how easy it is to exploit this vulnerability, Check Point created a video demonstrating it in action, shown below.

Below is a list of some of the vulnerable applications discovered by Check Point. As you can see, all of these apps have at least 1 million downloads, with one as high as 100 million downloads.

App NameVersionDownload Count
Aloha2.23.01,000,000
Walla! Sports1.8.3.1100,000
XRecorder1.4.0.3100,000,000
Hamal2.2.2.11,000,000
IndiaMART12.7.410,000,000
Edge45.09.4.508310,000,000
Grindr6.32.010,000,000
Yango Pro (Taximeter)9.565,000,000
PowerDirector7.5.050,000,000
OkCupid47.0.010,000,000
Teams40.10.1.2741,000,000
Bumble5.195.110,000,000

As the Google Play Core Library can not be auto-updated by Google, developers must manually download a new version and update their apps with it. Their apps will continue to be vulnerable and potentially exploited by threat actors to steal data and passwords or perform malicious activity until they do.

Also Read: How to Send Mass Email Without Showing Addresses: 2 Great Workarounds

Unfortunately, even after Check Point notified each of the developers about their apps’ vulnerability, the researchers said only Viber and Booking released fixed versions.

Update 12/3/20:  Moovit had released an updated version today that fixed the vulnerability and was removed from the list above.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us