Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Long-Patched Vulnerabilities Still Present in Many Popular Android Apps

Critical vulnerabilities that have been fixed years ago are still present in many popular Android applications due to their developer’s failure to apply patches available for third-party components.

Critical vulnerabilities that have been fixed years ago are still present in many popular Android applications due to their developer’s failure to apply patches available for third-party components.

Researchers at Check Point have selected three critical arbitrary code execution vulnerabilities patched in 2014, 2015 and 2016 in widely used third-party libraries.

The company explained that mobile applications often rely on native libraries that are either derived from open source projects or use code fragments from open source software. If a vulnerability is found in these open source projects, their developer may implement a fix, but there is no way for them to ensure that the fix will also be added to other software relying on their code.

In June 2019, Check Point scanned Android applications present on Google Play in an effort to determine if they use vulnerable libraries.

One of the vulnerabilities they targeted is CVE-2014-8962, a buffer overflow in the libFLAC audio codec that can be exploited for arbitrary code execution or denial-of-service (DoS) attacks by convincing the targeted user to open a specially crafted FLAC audio file with an application that uses a vulnerable version of libFLAC.

Check Point’s analysis revealed that CVE-2014-8962 is still present in the LiveXLive music streaming app, the Moto Voice voice control app for Motorola phones, and various Yahoo apps. All of these applications have been downloaded millions or tens of millions of times from Google Play.

Another vulnerability analyzed by Check Point, CVE-2015-8271, affects the RTMPDump toolkit for RTMP streams and it can also be exploited for arbitrary code execution.

The vulnerability has been identified in libraries used in the Facebook, Facebook Messenger, Lenovo SHAREit, Mobile Legends: Bang Bang, Smule, JOOX Music and WeChat applications. The first three apps each have over one billion downloads on Google Play, while the rest have over 100 million downloads.

Finally, researchers scanned Google Play apps for CVE-2016-3062, which impacts a Libav library and allows remote code execution and DoS attacks via specially crafted media files. A library containing this vulnerability has been found in the AliExpress, Video MP3 Converter, Lazada, VivaVideo, Smule, JOOX Music, Retrica and TuneIn applications, all of which have over 100 million downloads on Google Play.

Overall, hundreds of popular Android applications have been found to be affected by the three vulnerabilities.

“Just three vulnerabilities, all fixed over two years ago, make hundreds of apps potentially vulnerable to remote code execution. Can you imagine how many popular apps an attacker can target if he scans Google Play for a hundred known vulnerabilities?” Check Point researcher Slava Makkaveev, who conducted the analysis, wrote in a blog post.

Makkaveev added, “Keeping track of all security updates in all external components of a sophisticated mobile app is a tedious task, and it’s no surprise that few maintainers are willing to expend the effort. Mobile app stores and security researchers do proactively scan apps for malware patterns, but devote less attention to long-known critical vulnerabilities. Unfortunately, this means there’s not much the end user can do to keep his mobile device fully secure.”

Related: Vulnerabilities in Android Camera Apps Exposed Millions of Users to Spying

Related: Vulnerability in Network Provisioning Affects Majority of All Android Phones

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.