Check Point experts found that many popular applications from the Google Play Store, including Facebook, Instagram, and WeChat, are still vulnerable to old issues. It turns out that many long-fixed bugs are still dangerous for many popular applications from the Google Play Store.The fact is that developers often do not update third-party components of their products.
Researchers at Check Point Research cross-analyzed the latest versions of the most popular applications for three known RCE vulnerabilities (remote code execution) dated 2014, 2015, and 2016.
“All of these bugs were identified in widely used third-party libraries, and have been fixed long ago. The problem is that developers often use fragments of open source projects and open source solutions, but then they don’t bother to update them regularly”, – say researchers from Check Point.
One of the vulnerabilities that experts were looking for was CVE-2014-8962: buffer overflow in the libFLAC audio codec, which can be used to execute arbitrary code or DoS attacks. To do this, it is enough to convince the user to open the specially created FLAC file in the application using the vulnerable version of libFLAC. As it turned out, CVE-2014-8962 is still present in the LiveXLive music streaming application, the Moto Voice voice control application for Motorola devices and various Yahoo applications. All of these applications have been downloaded from Google Play millions or tens of millions of times.
The second vulnerability is CVE-2015-8271. It affects RTMPDump and can also be used to execute arbitrary code. The vulnerability was discovered in the libraries used in the applications Facebook, Facebook Messenger, Lenovo SHAREit, Mobile Legends: Bang Bang, Smule, JOOX Music< and WeChat. The first three applications have more than one billion downloads on Google Play, and the rest more than 100 million downloads.
Finally, the researchers checked the applications for a third vulnerability – CVE-2016-3062, which is associated with the Libav library and allows you to remotely execute arbitrary code or arrange a DoS attack through specially created multimedia files. The library containing this vulnerability has been identified in the applications AliExpress, Video MP3 Converter, Lazada, VivaVideo, Smule, JOOX Music, Retrica and TuneIn, which have been downloaded to Google Play more than 100,000,000 times.
“Only three vulnerabilities, fixed more than two years ago, make hundreds of applications potentially vulnerable to remote code execution. Can you imagine how many popular applications an attacker can attack if he searches hundreds of known vulnerabilities on Google Play?”, – write the researchers.