Unpatched Security Flaws Found On Popular Android Apps, Researchers Said

Android bug

With the internet and mobile devices becoming more affordable and more available to the masses, apps are becoming the center of activities.

And most of the cases, the time people spent on their mobile devices involve them in using popular apps. Bad news for them, as researchers found that many of the popular apps on Google Play Store come with outdated software components that contain unpatched security flaws.

The reason is because apps can contain software components to power their features and functionalities.

In this case, some of the popular developers of the popular apps have failed in issuing patches on a timely basis on their software components to mitigate security and privacy risks.

According to a website post from the researchers at the cybersecurity firm Check Point Research:

"To verify our hypothesis that long-known vulnerabilities may persist even in apps recently published on Google Play, we scanned them for known patterns associated with vulnerable versions of open-source code. The following tables summarize our results, as of June 2019, for three vulnerabilities of critical severity (Arbitrary Code Execution) from 2014, 2015 and 2016. The list includes hundreds of popular Android apps, including Yahoo Browser, Facebook, Instagram and WeChat."
Popular apps with CVE-2014-8962, CVE-2015-8271, and CVE-2016-3062
The three vulnerabilities discovered on some popular and high-profile Android apps. (Credit: Check Point Research)

As seen above, the flaws affect audio and video playback libraries, as well as media handling (CVE-2014-8962, CVE-2015-8271, and CVE-2016-3062).

"Just three vulnerabilities, all fixed over two years ago, make hundreds of apps potentially vulnerable to remote code execution. Can you imagine how many popular apps an attacker can target if he scans Google Play for a hundred known vulnerabilities?" wrote and asked the researchers.

Instagram was initially identified as one of the affected apps, but has since been ruled out. “Instagram isn’t impacted by CVE-2016-3062 and we’ve had a patch in place since it was surfaced,” Facebook told Check Point.

It's worth noting that the focus of this research was on the state of security in application on Google Play, and does not focus on any specific vulnerability in any specific application. The flaws alone also doesn’t mean the apps are vulnerable to exploits.

It just goes on to show that app maintainers need to be more rigorous about ensuring their apps are up to date.

For users of these apps, they are the most unfortunate ones, as there isn't anything they can to keep their devices secure, as these flaws persist even if they’re updated to the latest version, if the developers of the apps don't update the software component..

The reason the popular developers failed, is because keeping track of all security updates in all external components of a sophisticated mobile app is a tedious task.

It shouldn't be a surprise that few maintainers are willing to expend the effort.

These developers may be proactive in securing their apps from malware. But they may not put a lot of focus in finding long-known critical vulnerabilities.

“If you have a mobile device, you know how important it is to keep the core operating system and all installed apps up to date,” the researchers concluded. “It comes as a shock to discover that these precautions are of no help when the app maintainers neglect to incorporate security fixes into their versions of popular components.”

Further reading: 146 Security Flaws Found In Pre-Installed Apps From Android Phone Manufacturers