As revealed, the researcher found a bug in the Android OS that could facilitate malicious apps in exfiltrating user data. In fact, such apps could exploit the bug to steal sensitive data from other apps running on the target device.
Specifically, the bug existed in the Play Core library that lets the apps developers roll out updates to the apps.
Hence, all apps relying on this component for updates were potentially vulnerable to the threat. Whereas, a malicious app could exploit this component to inject malicious modules to other apps to steal data.
As the proof-of-concept, the researcher even created a test app that could successfully steal data including the passwords, browsing history, login cookies.
This vulnerability, CVE-2020-8913, specifically targeted the SplitCompat.install endpoint in the Play Core Library. The bug has attained a high-severity rating with a CVSS score of 8.8. According to the vulnerability description,
A malicious attacker could create an apk which targets a specific application, and if a victim were to install this apk, the attacker could perform a directory traversal, execute code as the targeted application and access the targeted application's data on the Android device.Following the discovery for the vulnerability, Google addressed the matter to create a fix.
Consequently, they patched the bug with the release of Play Core Library version 1.7.2 in March 2020.
The researcher urges all app developers to update their applications with the latest Play Core library version to stay protected.
Let us know your thoughts in the comments.
