Critical vulnerabilities that have been fixed years ago are still present in many popular Android applications due to their developer’s failure to apply patches available for third-party components.
Researchers at Check Point have selected three critical arbitrary code execution vulnerabilities patched in 2014, 2015 and 2016 in widely used third-party libraries.
The company explained that mobile applications often rely on native libraries that are either derived from open source projects or use code fragments from open source software. If a vulnerability is found in these open source projects, their developer may implement a fix, but there is no way for them to ensure that the fix will also be added to other software relying on their code.
In June 2019, Check Point scanned Android applications present on Google Play in an effort to determine if they use vulnerable libraries.
One of the vulnerabilities they targeted is CVE-2014-8962, a buffer overflow in the libFLAC audio codec that can be exploited for arbitrary code execution or denial-of-service (DoS) attacks by convincing the targeted user to open a specially crafted FLAC audio file with an application that uses a vulnerable version of libFLAC.
Check Point’s analysis revealed that CVE-2014-8962 is still present in the LiveXLive music streaming app, the Moto Voice voice control app for Motorola phones, and various Yahoo apps. All of these applications have been downloaded millions or tens of millions of times from Google Play.
Another vulnerability analyzed by Check Point, CVE-2015-8271, affects the RTMPDump toolkit for RTMP streams and it can also be exploited for arbitrary code execution.
The vulnerability has been identified in libraries used in the Facebook, Facebook Messenger, Lenovo SHAREit, Mobile Legends: Bang Bang, Smule, JOOX Music and WeChat applications. The first three apps each have over one billion downloads on Google Play, while the rest have over 100 million downloads.
Finally, researchers scanned Google Play apps for CVE-2016-3062, which impacts a Libav library and allows remote code execution and DoS attacks via specially crafted media files. A library containing this vulnerability has been found in the AliExpress, Video MP3 Converter, Lazada, VivaVideo, Smule, JOOX Music, Retrica and TuneIn applications, all of which have over 100 million downloads on Google Play.
Overall, hundreds of popular Android applications have been found to be affected by the three vulnerabilities.
“Just three vulnerabilities, all fixed over two years ago, make hundreds of apps potentially vulnerable to remote code execution. Can you imagine how many popular apps an attacker can target if he scans Google Play for a hundred known vulnerabilities?” Check Point researcher Slava Makkaveev, who conducted the analysis, wrote in a blog post.
Makkaveev added, “Keeping track of all security updates in all external components of a sophisticated mobile app is a tedious task, and it’s no surprise that few maintainers are willing to expend the effort. Mobile app stores and security researchers do proactively scan apps for malware patterns, but devote less attention to long-known critical vulnerabilities. Unfortunately, this means there’s not much the end user can do to keep his mobile device fully secure.”
Related: Vulnerabilities in Android Camera Apps Exposed Millions of Users to Spying
Related: Vulnerability in Network Provisioning Affects Majority of All Android Phones