An app security firm by the name of ‘Oversecured’ discovered a flaw in Google’s own Play Core library. Play Core is a critical part of Android that is responsible for installing new modules and in-app updates on your phone. Think game levels, language packages, etc.
An app security firm by the name of ‘Oversecured’ discovered a flaw in Google’s own Play Core library. Play Core is a critical part of Android that is responsible for installing new modules and in-app updates on your phone. Think game levels, language pacakages, etc.
So, if you have a virus on your Android device it could make use of the vulnerability. The exploit involves injecting code into apps that depend on the library to steal private information. It is able to obtain things like passwords, credit card numbers, social security numbers, mailing addresses, and much, much more.
This report comes from TechCrunch. The creator of Oversecured told them that it’s not at hard to exploit this bug referring to it as ‘pretty easy.’
Once Oversecured found the bug, they built an app using just a few lines of code to make use of it. The app they built targeted Chrome and they were able easily get the user’s passwords and login cookies. Not only that, but they were able to get the users browsing history as well. So, this is basically equivalent to a thief in the physical world finding your keys and with those keys comes the physical location of each one of those locks. Not good.
This exploit doesn’t only work with Chrome, though, Toshin was able to get into other apps as well.
According to TechCrunch, Google gave the valderability a threat score of 8.8. If this was 8.8 out of 100, it would not be too big of a concern but folks, the threat scale only goes up to 10. So, this being an 8.8, Google is basically saying that this threat it 88% as severe as it possibly could be. Not good at all.
The good thing about this, though, is that all you have to do to solve the problem on your device is update the Play Core library. You won’t have to wait for Google to release a whole new version of Android of anything.
It’s important to note that this bug has been long-patched even though TechCrunch, the source of this article, didn’t make that clear. ‘britchguy’ and ‘sectest3’ over on techsupportforums.com were quick to make us clear on that. Thanks guys!