Check Point Experts discoveredthat many popular apps from the Google Play Store, including Facebook, Instagram, and WeChat, are still vulnerable to old issues. The fact is that developers often do not update third-party components of their products.
Researchers at Check Point Research cross-analyzed the latest versions of the most popular applications for three known RCE vulnerabilities (remote code execution) dated 2014, 2015, and 2016. All these bugs were identified in widely used third-party libraries, and have long been fixed. The problem is that developers often use fragments of open source projects and open source solutions, but then they don’t bother to regularly update them.
One of the vulnerabilities that the experts were looking for was CVE-2014-8962: buffer overflow in libFLAC audio codec, which can be used to execute arbitrary code or DoS attacks. To do this, it is enough to convince the user to open the specially created FLAC file in the application using the vulnerable version of libFLAC. As it turned out, CVE-2014-8962 is still present in the LiveXLive music streaming application, the Moto Voice voice control application for Motorola devices and various Yahoo applications. All of these applications have been downloaded from Google Play millions or tens of millions of times.
The second vulnerability is CVE-2015-8271. It affects RTMPDump and can also be used to execute arbitrary code. The vulnerability was discovered in the libraries used in the applications Facebook, Facebook Messenger, Lenovo SHAREit, Mobile Legends: Bang Bang, Smule, JOOX Music and WeChat. The first three applications have more than one billion downloads on Google Play, and the rest more than 100 million downloads.
Finally, the researchers tested the applications for a third vulnerability – CVE-2016-3062, which is associated with the Libav library and allows you to remotely execute arbitrary code or arrange a DoS attack through specially created multimedia files. The library containing this vulnerability has been identified in the applications AliExpress, Video MP3 Converter, Lazada, VivaVideo, Smule, JOOX Music, Retrica and TuneIn, which have been downloaded to Google Play more than 100,000,000 times.
“Only three vulnerabilities, fixed more than two years ago, make hundreds of applications potentially vulnerable to remote code execution. Can you imagine how many popular applications an attacker can attack if he searches hundreds of known vulnerabilities on Google Play? ”, The researchers write.
Also, company experts are wondering why Google is not following this? Experts believe that the company should force application developers to update applications in a timely manner, including third-party code used in them.