Research by: Slava Makkaveev
Most mobile users understandably worry about known vulnerabilities in the core operating system of their devices, which can give an attacker complete control over their mobile phones, and about zero-day vulnerabilities which haven’t yet been addressed by the software vendors. The common perception is that as soon as a vulnerability is discovered in a software component, it’s immediately fixed. Therefore, by maintaining up-to-date versions of the mobile OS and all apps, you can keep your mobile device secure. However, Check Point Research shows that even long-since fixed vulnerabilities can be critically important, as outdated code can find its way into even the most popular apps.
A popular mobile app typically uses dozens of reusable components written in a low-level language such as C. These components, called native libraries, are often derived from open-source projects, or incorporate fragments of code from open-source projects. When a vulnerability is found and fixed in an open-source project, its maintainers typically have no control over the native libraries which may be affected by the vulnerability, nor the apps using these native libraries. This is how an app may keep using the outdated version of the code even years after the vulnerability is discovered. It may be overstating matters a bit to declare such an app vulnerable, as its flow may never reach the affected library code, but it certainly warrants an in-depth investigation by the app maintainers.
To verify our hypothesis that long-known vulnerabilities may persist even in apps recently published on Google Play, we scanned them for known patterns associated with vulnerable versions of open-source code. The following tables summarize our results, as of June 2019, for three vulnerabilities of critical severity (Arbitrary Code Execution) from 2014, 2015 and 2016. The list includes hundreds of popular Android apps, including Yahoo Browser, Facebook, Instagram and WeChat.
Package name | App name | Downloads | Vulnerable library |
com.slacker.radio | LiveXLive | 50,000,000+ | libLibFlacWrapper.so |
com.motorola.audiomonitor | Moto Voice BETA | 10,000,000+ | libflacencoder.so, libvasflacencoder.so |
jp.co.yahoo.android.apps.transit | Yahoo! Transit | 10,000,000+ | libyjvoice-4.6.0.so |
jp.co.yahoo.android.ybrowser | Yahoo! Browser | 10,000,000+ | libyjvoice-4.7.0.so |
jp.co.yahoo.android.apps.map | Yahoo! MAP | 5,000,000+ | libyjvoice-4.6.0.so |
jp.co.yahoo.android.apps.navi | Yahoo! Car navigation | 5,000,000+ | libyjvoice-wakeup-4.6.0.so |
Package name | App name | Downloads | Vulnerable library |
com.facebook.katana | 1,000,000,000+ | librtmp.so | |
com.facebook.orca | Messenger | 1,000,000,000+ | librtmp.so |
com.lenovo.anyshare.gps | SHAREit | 1,000,000,000+ | librtmp-jni.so |
com.mobile.legends | Mobile Legends: Bang Bang | 100,000,000+ | libeasyrtmp.so |
com.smule.singandroid | Smule | 100,000,000+ | libliteavsdk.so |
com.tencent.ibg.joox | JOOX Music | 100,000,000+ | libliteavsdk.so |
com.tencent.mm | 100,000,000+ | libliteavsdk.so | |
+200 |
Package name | App name | Downloads | Vulnerable library |
com.alibaba.aliexpresshd | AliExpress | 100,000,000+ | libtbffmpeg.so |
com.fundevs.app.mediaconverter | Video MP3 Converter | 100,000,000+ | mediaplay |
com.lazada.android | Lazada | 100,000,000+ | libtbffmpeg.so |
com.quvideo.xiaoying | VivaVideo | 100,000,000+ | libffmpeg.so |
com.smule.singandroid | Smule | 100,000,000+ | libsing.so |
com.tencent.ibg.joox | JOOX Music | 100,000,000+ | libm4adecoder.so |
com.venticake.retrica | Retrica | 100,000,000+ | libavformat.so, libf.so |
tunein.player | TuneIn | 100,000,000+ | libtunein.uap.so |
+200 |
An additional CVE-2016-3062 vulnerability has been identified by our tests on the Instagram application (com.instagram.android). In a corresponds with Facebook we were notified that
“Instagram isn’t impacted by CVE-2016-3062 and we’ve had a patch in place since it was surfaced.”
com.instagram.android | 1,000,000,000+ | libfb_ffmpeg.so |
It`s important to note as stated earlier that the focus of our research was on the state of security in application on Google Play and does not focus on any specific vulnerability in any specific application. This also applies to the Instagram example stated above.
Just three vulnerabilities, all fixed over two years ago, make hundreds of apps potentially vulnerable to remote code execution. Can you imagine how many popular apps an attacker can target if he scans Google Play for a hundred known vulnerabilities?
The following demo shows the PoC video file from the original CVE-2016-3062 report causing the latest version of VivaVideo app (com.quvideo.xiaoying, over 100 million downloads) to crash.
If you have a mobile device, you know how important it is to keep the core operating system and all installed apps up to date. It comes as a shock to discover that these precautions are of no help when the app maintainers neglect to incorporate security fixes into their versions of popular components. Keeping track of all security updates in all external components of a sophisticated mobile app is a tedious task, and it’s no surprise that few maintainers are willing to expend the effort. Mobile app stores and security researchers do proactively scan apps for malware patterns, but devote less attention to long-known critical vulnerabilities. Unfortunately, this means there’s not much the end user can do to keep his mobile device fully secure.
Check Point’s SandBlast Mobile is a market-leading mobile threat defense solution, providing the widest range of products to help you secure your mobile world.
To learn more about how you can protect yourself from mobile malware, please check out our SandBlast Mobile product page.