CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Long-Patched Vulnerabilities Still Present in Many Popular Android Apps

Critical vulnerabilities that have been fixed years ago are still present in many popular Android applications due to their developer’s failure to apply patches available for third-party components.

Critical vulnerabilities that have been fixed years ago are still present in many popular Android applications due to their developer’s failure to apply patches available for third-party components.

Researchers at Check Point have selected three critical arbitrary code execution vulnerabilities patched in 2014, 2015 and 2016 in widely used third-party libraries.

The company explained that mobile applications often rely on native libraries that are either derived from open source projects or use code fragments from open source software. If a vulnerability is found in these open source projects, their developer may implement a fix, but there is no way for them to ensure that the fix will also be added to other software relying on their code.

In June 2019, Check Point scanned Android applications present on Google Play in an effort to determine if they use vulnerable libraries.

One of the vulnerabilities they targeted is CVE-2014-8962, a buffer overflow in the libFLAC audio codec that can be exploited for arbitrary code execution or denial-of-service (DoS) attacks by convincing the targeted user to open a specially crafted FLAC audio file with an application that uses a vulnerable version of libFLAC.

Check Point’s analysis revealed that CVE-2014-8962 is still present in the LiveXLive music streaming app, the Moto Voice voice control app for Motorola phones, and various Yahoo apps. All of these applications have been downloaded millions or tens of millions of times from Google Play.

Another vulnerability analyzed by Check Point, CVE-2015-8271, affects the RTMPDump toolkit for RTMP streams and it can also be exploited for arbitrary code execution.

The vulnerability has been identified in libraries used in the Facebook, Facebook Messenger, Lenovo SHAREit, Mobile Legends: Bang Bang, Smule, JOOX Music and WeChat applications. The first three apps each have over one billion downloads on Google Play, while the rest have over 100 million downloads.

Advertisement. Scroll to continue reading.

Finally, researchers scanned Google Play apps for CVE-2016-3062, which impacts a Libav library and allows remote code execution and DoS attacks via specially crafted media files. A library containing this vulnerability has been found in the AliExpress, Video MP3 Converter, Lazada, VivaVideo, Smule, JOOX Music, Retrica and TuneIn applications, all of which have over 100 million downloads on Google Play.

Overall, hundreds of popular Android applications have been found to be affected by the three vulnerabilities.

“Just three vulnerabilities, all fixed over two years ago, make hundreds of apps potentially vulnerable to remote code execution. Can you imagine how many popular apps an attacker can target if he scans Google Play for a hundred known vulnerabilities?” Check Point researcher Slava Makkaveev, who conducted the analysis, wrote in a blog post.

Makkaveev added, “Keeping track of all security updates in all external components of a sophisticated mobile app is a tedious task, and it’s no surprise that few maintainers are willing to expend the effort. Mobile app stores and security researchers do proactively scan apps for malware patterns, but devote less attention to long-known critical vulnerabilities. Unfortunately, this means there’s not much the end user can do to keep his mobile device fully secure.”

Related: Vulnerabilities in Android Camera Apps Exposed Millions of Users to Spying

Related: Vulnerability in Network Provisioning Affects Majority of All Android Phones

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.