[ad_1]
Google has always advertised Google Play Store not only as the Android application store, but also as a reliable and secure source of applications. However, that security is as strong as Google Play services and when the code behind that is opened up to security attacks, the house can easily collapse. Unfortunately, while Google has already plugged a recent security hole in its main Google Play library, app developers aren’t doing their part and putting their own apps and their users at risk.
The Google Play Core Library, as the name implies, is one of the most basic and fundamental components of Google’s mobile services that Android applications can use to make life easier for developers and users. It provides functionalities such as downloading languages, assets or additional functions without having to update the application from the Google Play Store. Virtually all Android apps on the Play Store make use of these features, making the main library a fundamental part of any Android app.
Unfortunately, a serious flaw in the main library took advantage of that functionality to make the library actually run malicious code. Check Point Research goes into detail about how the exploit works, and it’s a pretty scary vulnerability if left unaddressed. Fortunately, Google already patched the Play Core Library last April before the vulnerability was publicly disclosed in August.
However, instead of ending on that good note, security researchers caution that app developers have yet to upgrade to this latest version of the Google Play Core Library. Unlike server-side fixes where Google does all the work, app developers must apply this type of fix on their own by updating their apps to use the fixed version of the library. Based on their latest count, they estimate that 13% of the apps on the Google Play Store have yet to do so.
This basically means that these apps and users are still vulnerable to this security flaw that is now known to both security experts and hackers. While some responded to Check Point’s report and updated their apps, some popular ones, such as Microsoft Edge, Moovit, and Cyberlink PowerDirector, did not.
