Home News New Severe Vulnerability Found in Google Play Core Library

New Severe Vulnerability Found in Google Play Core Library

Sep 3, 2020
SHARE

If you have an Android device, then you likely know it has always had issues with security. We know we’ve told you about some of the vulnerabilities that have been found in the system over the years. These vulnerabilities are oftentimes bad since they could lead to the theft of personal information. Usually, a malicious app or hacker exploits flaws in order to gain sensitive information and data. A new vulnerability was just found that has to do with the Google Play Core library and this vulnerability was rated severe.

New Android Vulnerability in Google Play Core Library Could Lead to Theft of Sensitive Data

For those of you who aren’t familiar with Google Play Core library, it’s an essential part of the Android app development world. This library allows the developers to bring in-app updates to users and push them out without issues. Google Play Core library is also essential since it allows developers to bring modules with new features to Android apps. The modules include things such as game levels and language packs. A new flaw in this was just found by Oversecured. Oversecured is an app security company that recently just started up.

Oversecured said that the flaw could allow a malicious app on the Android device to exploit the issue they found. The flaw means an app could steal sensitive data and information. The data that could be stolen includes passwords, location information, and credit card numbers. Basically, the malicious app could put modules into other apps that are malicious too. It would be using the Play Core library to steal this information. It would all be possible from within the malicious app itself. For the user, it means that it’s something you wouldn’t even know is happening.

Exploiting Google Play Core Library Easy According to Security Company

The founder of Oversecured, Sergey Toshin, said that it was easy to exploit the bug in Google Play Core library. In order to test out the flaw, the company had a proof-of-concept app built. From there, the company used just a few lines of code to test out the vulnerability. This was tested out on the Android version of Google Chrome. Chrome used a version of Google Play Core library that contained the vulnerability.

What the company found was that a lot of sensitive data was able to be stolen from this proof-of-concept app. The data that the app could steal included login cookies, passwords, and even browsing history. What’s really scary is that there were many apps in Google Play Store that were impacted by this flaw and these were some of the top apps that are found in Google Play Store. You would think that the most popular apps on Android would be updated regularly to the newest version of Google Play Core library, but that just wasn’t the case.

Google Patched Play Core Library Vulnerability in March

Even more alarming about this news is that it happened quite a while ago and we’re just now hearing about it. Google said that a patch was released back in March to fix this vulnerability, which was rated with a score of 8.8 out of 10 on the scale of severity. That means it was a pretty serious vulnerability and could have impacted numerous apps we don’t know about yet. Google did thank the company for reaching out to warn of this vulnerability, which is why a patch was released in March.

We want to know what you think about the vulnerabilities that have impacted Android over the years. Do you think that Google does enough to patch the vulnerabilities? If not, do you think that Google seems late to the game in many cases? Are you aware of all of the vulnerabilities that have happened over the years on Android? Do you feel safe using your Android device for banking and shopping? For you, do you find it’s just better to still use your PC for those types of situations? Lastly, do you think we should be warned about these issues quicker? The quicker we know about them the quicker we could delete the app before it could steal data.