Home Hacking News Android Bug Could Allow Malicious Apps To Steal User Data From Other Apps

Android Bug Could Allow Malicious Apps To Steal User Data From Other Apps

by Abeerah Hashim
Android zero-day

Once again, Android has made it to the news due to a not so good reason. A researcher has discovered a serious bug in the Android platform. This Android bug could allow malicious apps to steal users’ sensitive data from other apps. Fortunately, a fix is now in place.

Android Bug Allowing To Steal Data From Apps

A security researcher and the founder of app security firm Oversecured, Sergey Toshin, found a serious vulnerability affecting Android. He shared the details of the findings with TechCrunch that disclosed the matter.

As revealed, the researcher found a bug in the Android OS that could facilitate malicious apps in exfiltrating user data. In fact, such apps could exploit the bug to steal sensitive data from other apps running on the target device.

Specifically, the bug existed in the Play Core library that lets the apps developers roll out updates to the apps.

Hence, all apps relying on this component for updates were potentially vulnerable to the threat. Whereas, a malicious app could exploit this component to inject malicious modules to other apps to steal data.

As the proof-of-concept, the researcher even created a test app that could successfully steal data including the passwords, browsing history, login cookies.

Google Patched The Bug

According to the researcher, this bug potentially affected ‘some of the most popular apps’ on Play Store.

This vulnerability, CVE-2020-8913, specifically targeted the SplitCompat.install endpoint in the Play Core Library. The bug has attained a high-severity rating with a CVSS score of 8.8. According to the vulnerability description,

A malicious attacker could create an apk which targets a specific application, and if a victim were to install this apk, the attacker could perform a directory traversal, execute code as the targeted application and access the targeted application’s data on the Android device.

Following the discovery for the vulnerability, Google addressed the matter to create a fix.

Consequently, they patched the bug with the release of Play Core Library version 1.7.2 in March 2020.

The researcher urges all app developers to update their applications with the latest Play Core library version to stay protected.

Let us know your thoughts in the comments.

You may also like