Long-known Vulnerabilities in High-Profile Android Applications

Research by: Slava Makkaveev

Introduction

Most mobile users understandably worry about known vulnerabilities in the core operating system of their devices, which can give an attacker complete control over their mobile phones, and about zero-day vulnerabilities which haven’t yet been addressed by the software vendors. The common perception is that as soon as a vulnerability is discovered in a software component, it’s immediately fixed. Therefore, by maintaining up-to-date versions of the mobile OS and all apps, you can keep your mobile device secure. However, Check Point Research shows that even long-since fixed vulnerabilities can be critically important, as outdated code can find its way into even the most popular apps.

A popular mobile app typically uses dozens of reusable components written in a low-level language such as C. These components, called native libraries, are often derived from open-source projects, or incorporate fragments of code from open-source projects. When a vulnerability is found and fixed in an open-source project, its maintainers typically have no control over the native libraries which may be affected by the vulnerability, nor the apps using these native libraries. This is how an app may keep using the outdated version of the code even years after the vulnerability is discovered. It may be overstating matters a bit to declare such an app vulnerable, as its flow may never reach the affected library code, but it certainly warrants an in-depth investigation by the app maintainers.

To verify our hypothesis that long-known vulnerabilities may persist even in apps recently published on Google Play, we scanned them for known patterns associated with vulnerable versions of open-source code. The following tables summarize our results, as of June 2019, for three vulnerabilities of critical severity (Arbitrary Code Execution) from 2014, 2015 and 2016. The list includes hundreds of popular Android apps, including Yahoo Browser, Facebook, Instagram and WeChat.

CVE-2014-8962 (FLAC audio codec)

Package name App name Downloads Vulnerable library
com.slacker.radio LiveXLive 50,000,000+ libLibFlacWrapper.so
com.motorola.audiomonitor Moto Voice BETA 10,000,000+ libflacencoder.so, libvasflacencoder.so
jp.co.yahoo.android.apps.transit Yahoo! Transit 10,000,000+ libyjvoice-4.6.0.so
jp.co.yahoo.android.ybrowser Yahoo! Browser 10,000,000+ libyjvoice-4.7.0.so
jp.co.yahoo.android.apps.map Yahoo! MAP 5,000,000+ libyjvoice-4.6.0.so
jp.co.yahoo.android.apps.navi Yahoo! Car navigation 5,000,000+ libyjvoice-wakeup-4.6.0.so

 

CVE-2015-8271 (FFmpeg RTMP video streaming)

Package name App name Downloads Vulnerable library
com.facebook.katana Facebook 1,000,000,000+ librtmp.so
com.facebook.orca Messenger 1,000,000,000+ librtmp.so
com.lenovo.anyshare.gps SHAREit 1,000,000,000+ librtmp-jni.so
com.mobile.legends Mobile Legends: Bang Bang 100,000,000+ libeasyrtmp.so
com.smule.singandroid Smule 100,000,000+ libliteavsdk.so
com.tencent.ibg.joox JOOX Music 100,000,000+ libliteavsdk.so
com.tencent.mm WeChat 100,000,000+ libliteavsdk.so
+200

 

CVE-2016-3062 (FFmpeg libavformat media handling)

Package name App name Downloads Vulnerable library
com.alibaba.aliexpresshd AliExpress 100,000,000+ libtbffmpeg.so
com.fundevs.app.mediaconverter Video MP3 Converter 100,000,000+ mediaplay
com.lazada.android Lazada 100,000,000+ libtbffmpeg.so
com.quvideo.xiaoying VivaVideo 100,000,000+ libffmpeg.so
com.smule.singandroid Smule 100,000,000+ libsing.so
com.tencent.ibg.joox JOOX Music 100,000,000+ libm4adecoder.so
com.venticake.retrica Retrica 100,000,000+ libavformat.so, libf.so
tunein.player TuneIn 100,000,000+ libtunein.uap.so
+200

An additional CVE-2016-3062 vulnerability has been identified by our tests on the Instagram application (com.instagram.android). In a corresponds with Facebook we were notified that

“Instagram isn’t impacted by CVE-2016-3062 and we’ve had a patch in place since it was surfaced.” 

com.instagram.android Instagram 1,000,000,000+ libfb_ffmpeg.so

It`s important to note as stated earlier that the focus of our research was on the state of security in application on Google Play and does not focus on any specific vulnerability in any specific application. This also applies to the Instagram example stated above.

Just three vulnerabilities, all fixed over two years ago, make hundreds of apps potentially vulnerable to remote code execution. Can you imagine how many popular apps an attacker can target if he scans Google Play for a hundred known vulnerabilities?

The following demo shows the PoC video file from the original CVE-2016-3062 report causing the latest version of VivaVideo app (com.quvideo.xiaoying, over 100 million downloads) to crash.

/wp-content/uploads/2019/10/Crash_from_2016.mp4

 

Conclusion

If you have a mobile device, you know how important it is to keep the core operating system and all installed apps up to date. It comes as a shock to discover that these precautions are of no help when the app maintainers neglect to incorporate security fixes into their versions of popular components. Keeping track of all security updates in all external components of a sophisticated mobile app is a tedious task, and it’s no surprise that few maintainers are willing to expend the effort. Mobile app stores and security researchers do proactively scan apps for malware patterns, but devote less attention to long-known critical vulnerabilities. Unfortunately, this means there’s not much the end user can do to keep his mobile device fully secure.

 

Check Point’s SandBlast Mobile is a market-leading mobile threat defense solution, providing the widest range of products to help you secure your mobile world.

To learn more about how you can protect yourself from mobile malware, please check out our SandBlast Mobile product page.

The post Long-known Vulnerabilities in High-Profile Android Applications appeared first on Check Point Research.

Article Link: https://research.checkpoint.com/2019/long-known-vulnerabilities-in-high-profile-android-applications/