The latest versions of popular apps hosted on Google Play are harboring known vulnerabilities that could subject users to Remote Code Execution (RCE) attacks.
When we download apps from official repositories, we may assume that security updates have already been applied -- or once installed, software updates will make sure the app is up-to-date with fixes. However, on Thursday, cybersecurity researchers from Check Point said that patches issued to resolve years-old flaws for popular applications may not have been applied to versions available in Google Play.
In a blog post, Check Point documented the results of a month-long study, conducted in May, into the presence of known vulnerabilities in popular mobile applications. The results suggested that the use of third-party components and open source resources, including libraries, may have led to old, vulnerable code still being present in apps.
"When a vulnerability is found and fixed in an open source project, its maintainers typically have no control over the native libraries which may be affected by the vulnerability, nor the apps using these native libraries," Check Point says. "This is how an app may keep using the outdated version of the code even years after the vulnerability is discovered."
Specifically, the researchers examined the mobile apps in question for three RCE vulnerabilities dating from 2014, 2015 and 2016. Each bug was assigned two signatures and hundreds of apps were scanned in the Google Play Store.
The first vulnerability scanned for, tracked as CVE-2014-8962, is described as a stack-based buffer overflow problem in libFLAC before 1.3.1 which permits attackers to achieve RCE via a crafted .flac file.
The FLAC audio codec vulnerability and libraries using vulnerable code were found in apps including LiveXLive, Moto Voice BETA, and four Yahoo! apps -- Transit, Browser, Map, and Car navigation.
The second vulnerability examined by the team was CVE-2015-8271, an RCE exploit in RTMPDump 2.4 which is used for FFmpeg RTMP video streaming. This old bug was connected to apps including Facebook, Facebook Messenger, ShareIt, and WeChat.
The final security flaw, CVE-2016-3062, is a function issue in Libav before 11.7 and FFmpeg before 0.11 which can be exploited to cause denial-of-service (DoS) or RCE.
Apps on the Google Play Store including AliExpress, Video MP3 Converter, and Lazada are believed to be affected. All of the applications mentioned have been downloaded millions of times.
When it comes to this vulnerability, the Instagram application also originally appeared to be impacted by the Libav security flaw. However, when Check Point connected to Instagram's security team to discuss the scan, the Instagram team said:
"Confusingly there were two different patches created for this issue, one for FFmpeg 7 years ago (which wasn't a CVE) and one for libav 3 years ago (which was a CVE), and then it appears that FFmpeg pulled the second fix from libav and now carries both patches, while either one would be sufficient."
Despite all of these vulnerabilities being fixed years ago, due to failures to update aging libraries, they may remain a risk to today's users if developers fail to apply them.
"Keeping track of all security updates in all external components of a sophisticated mobile app is a tedious task, and it's no surprise that few maintainers are willing to expend the effort," Check Point says. "Mobile app stores and security researchers do proactively scan apps for malware patterns, but devote less attention to long-known critical vulnerabilities. Unfortunately, this means there's not much the end-user can do to keep his mobile device fully secure."
Check Point Research notified the developers of the vulnerable applications, along with Google. Google requested that the research publication date was postponed by two weeks to give the company time to investigate, of which Check Point accepted.
Speaking to ZDNet, Check Point researcher Slava Makkaveev said:
"We reported our findings to relevant apps' developers but none replied with information about the planned or applied fixes. We currently still don't have information about issued fixes."
"Check Point reached out to us about this issue and informed us that affected developers have been notified. We are currently working to investigate their findings," a Google spokesperson told ZDNet. "Additionally, we recently expanded the scope of our Google Play Security Reward Program to encourage further collaboration between app developers and the security community."
Facebook disputed the findings, telling us, "People using Facebook services are not vulnerable to any of the issues highlighted by Check Point due to the design of our systems that use this code."
In related news this week, researchers from Checkmarx disclosed vulnerabilities in the Android ecosystem which could be exploited to hijack smartphone cameras to covertly take images and videos, even if a device is locked. Google confirmed the existence of the security flaws and issued a patch to resolve the bugs.
Previous and related coverage
- Chameleon gambling apps wiped from App Store, Google Play
- Gaming, photo apps in Google Play infect Android handsets with malware
- This is how malicious Android apps avoid Google's security vetting
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0