Research by: Aviran Hazum, Jonathan Shimonovich
A new vulnerability for the Google Play Core Library was published in late August, which allows Local-Code-Execution (LCE) within the scope of any application that has the vulnerable version of the Google Play Core Library.
In this paper, we analyze the impact and magnitude of this vulnerability from a security perspective.
From Google’s Android Development Documentation:
The Play Core Library is your app’s runtime interface with the Google Play Store. Some of the things you can do with Play Core include the following:
So, basically, the Google Play Core Library is a gateway for interacting with Google Play Services from within the application itself, starting from dynamic code loading (such as downloading additional levels only when needed), to delivering locale-specific resources, to interacting with Google Play’s review mechanisms.
Many popular applications utilize this library including:
Facebook and Instagram alone are responsible for 5 billion and 1 billion downloads to date, respectively, from the Google Play Store. Imagine the number of devices that were impacted by this vulnerability.
OverSecured already covered the technical aspects of this vulnerability. For a more in-depth technical analysis, please refer to their blog.
A brief overview: Inside the sandbox of each application, there are two folders: one for “verified” files received from Google Play, and another for “non-verified” files. Files downloaded from Google Play services go into the verified folder, while files downloaded from other sources are sent to the non-verified folder. When a file is written to the verified folder, it interacts with the Google Play Core library which loads and executes it.
Another feature, an exported intent, allows other sources to push files into the hosting application’s sandbox. There are some limitations: the file is pushed into the non-verified folder, and it is not automatically handled by the library.
The vulnerability lies within the combination of the two features mentioned above, and also utilizes file traversal, a concept as old as the internet itself. When a 3rd party source pushes a file into another application, it needs to supply a path for the file to be written to. If an attacker uses file traversal (../verified_splits/my_evil_payload.apk), the payload is written to the verified folder, and is automatically loaded into the vulnerable application and executed within its scope.
Google patched this vulnerability on April 6, 2020.
Figure 1 – Infographic showing the attack chain.
When we combine popular applications that utilize the Google Play Core library, and the Local-Code-Execution vulnerability, we can clearly see the risks. If a malicious application exploits this vulnerability, it can gain code execution inside popular applications and have the same access as the vulnerable application.
The possibilities are limited only by our creativity. Here are just a few examples:
Since the vulnerability was patched in April, why is there cause for concern now? The answer is because the patch needs to be pushed by the developers into the application. Unlike server-side vulnerabilities, where the vulnerability is patched completely once the patch is applied to the server, for client-side vulnerabilities, each developer needs to grab the latest version of the library and insert it into the application.
As the human factor is one of the most difficult to overcome when it comes to security, we decided to see which applications patched the vulnerability, and which are still vulnerable to get an overall better understanding of the vulnerability’s magnitude.
Since the publication of this vulnerability, we started monitoring vulnerable applications.
During the month of September 2020, 13% of Google Play applications analyzed by SandBlast Mobile used this library, and 8% of those apps had a vulnerable version.
We also compared the September versions to the current versions on Google Play so we could see which applications are still affected. To our surprise, we discovered applications from a large variety of genres:
*Prior to this publication, we have notified the Apps about the vulnerability and the need to update the version of the library , in order not to be affected. Viber & Booking updated to the patched versions after our notification.
** 19:00 December 3rd 2020 – Both Grindr & Moovit have updated their versions to the patched version and are no longer vulnerable
*** 19:25 December 3rd 2020 – Cisco teams updated to the latest version and the app is no longer vulnerable
As our demo video shows, this vulnerability is easy to exploit. All you need to do is to create a “hello world” application that calls the exported intent in the vulnerable app to push a file into the verified files folder with the file-traversal path.
Then sit back and watch the magic happen. To demonstrate targeting a specific application, we took a vulnerable version of the Google Chrome application and created a dedicated payload to grab its bookmarks.
SandBlast Mobile can detect this vulnerability in both legitimate vulnerable applications, and malicious applications seeking to exploit it.
Check Point SandBlast Mobile is the market-leading Mobile Threat Defense (MTD) solution, providing the widest range of capabilities to help you secure your mobile workforce.
SandBlast Mobile provides protection for all mobile vectors of attack, including the download of malicious applications and applications with malware embedded in them.
|Package Name||Name||Version||Download Count|
|ru.yandex.taximeter||Yango Pro (Taximeter)||9.56||5,000,000|