A Security Bug In Google Play Core Library Could Have Allowed Malicious Apps To Steal Sensitive Information From Other Applications On The Same Smartphone

A security bug in Android might have allowed malicious applications to steal sensitive information from other applications on the same Android device. A security bug has been discovered in Google Play's Core Library which might have granted access to malicious applications on Android to harvest private data. Google’s wide used Play Core Library allows developers to push in-app updates as well as new feature modules to their Android applications such as game levels and language packs. The app security startup Oversecured discovered this security vulnerability in Google’s Play Core Library.

An unauthorized application on the same Android smartphone could exploit the flaw in Play Core Library by injecting malicious modules into other applications that rely on Play Core Library to steal sensitive data such as login credentials and credit card numbers from inside the application. The founder of Oversecured, Sergey Toshin, told a media outlet that exploiting this security vulnerability was ‘pretty easy.’ Oversecured programmed a proof-of-concept application using a few lines code, and the startup tested the bug on Chrome for Android, which was uploaded using the vulnerable version of Google’s Play Core Library.

Sergey Toshin said that their proof-of-concept application was successful in stealing the passwords, browsing history, and login cookies of the victim. However, Toshin also said that this vulnerability also impacted some of the most popular Android applications in the Android app store. This specific version of Play Core Library made it possible for applications to ‘inject modules’ into other Android applications on the same device and obtain sensitive information such as credit card details and login credentials from them.

Toshin recommended that developers should update their applications with the latest version of Google’s Play Core Library to avoid any security threats. In March, Google confirmed this security bug and fixed the vulnerability. Furthermore, Google rated this bug 8.8 out of 10.0 for the severity of its threat. According to a company’s spokesman, Google appreciated the security researcher reporting this bug to Google, and as a result, the company patched the Android bug back in March of this year. Google suggests all users update Google’s Play Core Library to version 1.7.2 or later. The security vulnerability exists in Google’s Play Core Library versions prior to version 1.7.2 of Play Core Library.



Photo: SOPA Images via Getty Images

Read next: A Malware Discovered In Some Cheap Chinese-Made Smartphones Can Steal Data And Money From Users
Previous Post Next Post