Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Long-Patched Vulnerabilities Still Present in Many Popular Android Apps

Critical vulnerabilities that have been fixed years ago are still present in many popular Android applications due to their developer’s failure to apply patches available for third-party components.

Critical vulnerabilities that have been fixed years ago are still present in many popular Android applications due to their developer’s failure to apply patches available for third-party components.

Researchers at Check Point have selected three critical arbitrary code execution vulnerabilities patched in 2014, 2015 and 2016 in widely used third-party libraries.

The company explained that mobile applications often rely on native libraries that are either derived from open source projects or use code fragments from open source software. If a vulnerability is found in these open source projects, their developer may implement a fix, but there is no way for them to ensure that the fix will also be added to other software relying on their code.

In June 2019, Check Point scanned Android applications present on Google Play in an effort to determine if they use vulnerable libraries.

One of the vulnerabilities they targeted is CVE-2014-8962, a buffer overflow in the libFLAC audio codec that can be exploited for arbitrary code execution or denial-of-service (DoS) attacks by convincing the targeted user to open a specially crafted FLAC audio file with an application that uses a vulnerable version of libFLAC.

Check Point’s analysis revealed that CVE-2014-8962 is still present in the LiveXLive music streaming app, the Moto Voice voice control app for Motorola phones, and various Yahoo apps. All of these applications have been downloaded millions or tens of millions of times from Google Play.

Another vulnerability analyzed by Check Point, CVE-2015-8271, affects the RTMPDump toolkit for RTMP streams and it can also be exploited for arbitrary code execution.

The vulnerability has been identified in libraries used in the Facebook, Facebook Messenger, Lenovo SHAREit, Mobile Legends: Bang Bang, Smule, JOOX Music and WeChat applications. The first three apps each have over one billion downloads on Google Play, while the rest have over 100 million downloads.

Advertisement. Scroll to continue reading.

Finally, researchers scanned Google Play apps for CVE-2016-3062, which impacts a Libav library and allows remote code execution and DoS attacks via specially crafted media files. A library containing this vulnerability has been found in the AliExpress, Video MP3 Converter, Lazada, VivaVideo, Smule, JOOX Music, Retrica and TuneIn applications, all of which have over 100 million downloads on Google Play.

Overall, hundreds of popular Android applications have been found to be affected by the three vulnerabilities.

“Just three vulnerabilities, all fixed over two years ago, make hundreds of apps potentially vulnerable to remote code execution. Can you imagine how many popular apps an attacker can target if he scans Google Play for a hundred known vulnerabilities?” Check Point researcher Slava Makkaveev, who conducted the analysis, wrote in a blog post.

Makkaveev added, “Keeping track of all security updates in all external components of a sophisticated mobile app is a tedious task, and it’s no surprise that few maintainers are willing to expend the effort. Mobile app stores and security researchers do proactively scan apps for malware patterns, but devote less attention to long-known critical vulnerabilities. Unfortunately, this means there’s not much the end user can do to keep his mobile device fully secure.”

Related: Vulnerabilities in Android Camera Apps Exposed Millions of Users to Spying

Related: Vulnerability in Network Provisioning Affects Majority of All Android Phones

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.