Some Popular Android Apps Still have Long-Patched Vulnerabilities

Encrypted Apps

There are still critical vulnerabilities in many popular Android apps which were fixed years ago due to their developer failure to use patches for third-party components.

Check Point researchers have selected three critical arbitrary code execution vulnerabilities that were patched in widely used third-party libraries in 2014, 2015 and 2016.

The company has clarified that mobile apps frequently rely on proprietary libraries originating from open source projects or using open source code fragments. If there is a vulnerability in these open source projects, your developer can fix this, but there is no way that the fix is also added to other software that uses their code.

In June 2019, Check Point scanned Android apps on Google Play to see if they use vulnerable libraries.

The CVE-2014-8962 buffer overflow in the libFLAC audio codec that can be used for arbitrary code execution or Denial-of-Service (DoS) attacks is one of the vulnerabilities it has resolved by persuading a targeted client to open a specially created FLAC audio file with an application that has the insecure libFLAC edition.

Check Point analysis revealed that the LiveXLive music Streaming App, the Moto Voice command for Motorola telephones and various Yahoo applications still have the CVE-2014-8962. All these software have been downloaded from Google Play millions or tens of millions of times.

Check Point’s CVE-2015-8271 vulnerability also has an effect on the RTMPDump toolkit for RTMP streams and can be used for arbitrary code execution.

In libraries used in Twitter, Facebook Messenger, SHAREit, Mobile Legends: Bang Bang, Smule, JOOX Music, WeChat apps the security vulnerability has been found. The first three apps have over one billion Google Play downloads, while the remainder have over 100 million downloads.

Eventually, researchers scanned CVE-2016-3062 Google Play apps, impacting a Libav library, enabling remote code execution and DoS-attacks through specially crafted media files. In AliExpress, Video MP3 Converter, Lazada, VivaVideo, Smule, JOOX Music, Retrica and TuneIn apps, over 100 million Google Play-downloads have been found a library containing this vulnerability.

Overall, the three vulnerabilities affected hundreds of popular Android applications.

“Over two years ago, just three vulnerabilities make hundreds of apps vulnerable to remote code execution. Could you imagine how often an intruder could target common applications while searching Google Play for hundreds of known vulnerabilities?”Slava Makkaveev, the Checkpoint researcher who carried out the analysis, wrote on a blog post.

Makkaveev added, “To keep track of all security updated components in an extensive mobile app’s external components is a tedious task, and it is no surprise that few maintainers are ready to make the effort. Mobile app stores and security researchers proactively scan malware pattern applications but pay less attention to well-known critical vulnerabilities. Unfortunately, this means that the end user can not do much to keep his mobile device completely safe.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.