Grindr and others patch critical Android bug

Android mobile application developers, including those working on some of the world’s most prominent dating apps, have been rushing to apply a delayed patch to a critical flaw in the Google Play Core library – a critical element in the process of pushing app updates and new features live – that potentially left millions of mobile users exposed to compromise.

The bug in question, CVE-2020-8913, is a local, arbitrary code execution vulnerability, which could have let attackers create an Android Package Kit (APK) targeting an app that enables them to execute code as the targeted app, and ultimately access the target’s user data.

It was patched by Google earlier in 2020, but because it is a client-side vulnerability, rather than a server-side vulnerability, it cannot be mitigated in the wild unless app developers update their Play Core libraries.

Last week, researchers at Check Point revealed a number of popular apps were still open to exploitation of CVE-2020-8913, and informed the companies behind them. 

The unpatched apps included Booking, Bumble, Cisco Teams, Microsoft Edge, Grindr, OkCupid, Moovit, PowerDirector, Viber, Xrecorder and Yango Pro. Between them, these apps have accrued over 800,000,000 downloads, and many more are certainly affected. Of those, Grindr, Booking, Cisco Teams, Moovit and Viber have now confirmed the issue has been fixed.

A Grindr spokesperson told Computer Weekly: “We are grateful for the Check Point researcher who brought the vulnerability to our attention. On the same day that the vulnerability was brought to our attention, our team quickly issued a hotfix to address the issue.

“As we understand it, in order for this vulnerability to have been exploited, a user must have been tricked into downloading a malicious app onto their phone that is specifically tailored to exploit the Grindr app.

“As part of our commitment to improving the safety and security of our service, we have partnered with HackerOne, a leading security firm, to simplify and improve the ability for security researchers to report issues such as these. We provide an easy vulnerability disclosure page through HackerOne that is monitored directly by our security team.

“We will continue to enhance our practices to proactively address these and similar concerns as we continue our commitment to our users,” they said.

Aviran Hazum, Check Point’s manager of mobile research, said it estimated that hundreds of millions of Android owners remained at risk.

“The vulnerability CVE-2020-8913 is highly dangerous,” said Hazum. “If a malicious application exploits this vulnerability, it can gain code execution inside popular applications, obtaining the same access as the vulnerable application. For example, the vulnerability could allow a threat actor to steal two-factor authentication codes or inject code into banking applications to grab credentials.

“Or a threat actor could inject code into social media applications to spy on victims or inject code into all IM [instant messaging] apps to grab all messages. The attack possibilities here are only limited by a threat actor’s imagination,” said Hazum.