High-Profile Android Applications Ridden by Old and Known Flaws

• Many widely used applications on the Android ecosystem are using vulnerable native libraries.
• The app maintainers don’t pay much attention to the code of the components they get from the shelf.
• Users who update to the latest version falsely think that they are using a safe and secure application.

Researchers of the Check Point team have discovered that many high-profile and widely used Android applications are using components that are carrying well-known and long-standing vulnerabilities. This case of negligence throws all benefits that derive from updating your system and applying the latest patches, which is entirely unacceptable. The researchers hypothesized the existence of these flaws in various applications and then decided to test their assumptions. They have used a collection of the most recent app versions that are available on the Google Play Store and tested them against a set of known flaws.

Some of the most notable findings of this research are the following:

• LiveXLive – 50 million downloads, vulnerable to CVE-2014-8962 (FLAC audio codec)
• Yahoo! Browser – 10 million downloads, vulnerable to CVE-2014-8962
• Facebook – 1 billion downloads, vulnerable to CVE-2015-8271 (FFmpeg RTMP video streaming)
• WeChat – 100 million downloads, vulnerable to CVE-2015-8271
• Mobile Legends: Bang Bang – 100 million downloads, vulnerable to CVE-2015-8271
• AliExpress – 100 million downloads, vulnerable to CVE-2016-3062 (FFmpeg libavformat media handling)
• TuneIn – 100 million downloads, vulnerable to CVE-2016-3062

As you can see, these vulnerabilities have been identified as far back as 2014, so pushing new app versions that still carry them is a massive problem for the users. All of the flaws that are presented above were fixed a long time ago, and malicious actors know how to exploit them. The problem is that app developers grab the native libraries they need without paying any attention to their version and whether the code is outdated. These native libraries are often derived from open-source projects and various fragments that come from multiple independent teams. That said, when a flaw is discovered somewhere, it is not easy to get it fixed immediately, nor is it in the control of those who compile the libraries.

All that said, Check Point’s research denotes that there are hundreds of Android apps that are vulnerable to exploitation, even if their users update them immediately. This is a fundamental problem that can be surprising to both the maintainers and the end-users, and malicious actors know it. While Google’s move to form the “App Defense Alliance” was undoubtedly in the right direction, malware detection shouldn’t be the only goal of the project. Scanning for long-standing known vulnerabilities and helping the app developers address them should finally become part of the app reviewing process.

Do you trust Android apps, or do you prefer the iOS ecosystem? Let us know where you stand in the comments down below, or on our socials, on Facebook and Twitter.