Security experts have observed that Android app makers have not patched the old security flaws, many of which even dates back to 2014. According to Check Point Software Technologies, most of these vulnerabilities exist in popular Android apps on the Google Play Store, including Facebook, WeChat, Facebook Messenger, Instagram, and Yahoo.
Source of Security Flaws
The researchers stated that app developers manage to copy code from vast code libraries while developing an application. Here, security bugs which existed in these code libraries get carried over to new Android apps.
“A popular mobile app typically uses dozens of reusable components written in a low-level language such as C. These components, called native libraries, are often derived from open-source projects, or incorporate fragments of code from open-source projects. When a vulnerability is found and fixed in an open-source project, its maintainers typically have no control over the native libraries which may be affected by the vulnerability, nor the apps using these native libraries. This is how an app may keep using the outdated version of the code even years after the vulnerability is discovered,” Check Point said in a statement.
“It may be overstating matters a bit to declare such an app vulnerable, as its flow may never reach the affected library code, but it certainly warrants an in-depth investigation by the app maintainers,” the statement added.
Check Point opined that while mobile app stores and security researchers scan applications for malware, they often give less attention to long-known critical flaws.
In its similar research, Check Point discovered that more than half of modern Android smartphones, including models by Sony, LG, Samsung, and Huawei are vulnerable to a text-based phishing attack.
Malicious actors are using fake phone provisioning messages to trick Android phone users into accepting new settings that provide access to attackers. The researchers stated that the phishing attack is performed through a process called over-the-air (OTA) provisioning, according to Check Point.
Check Point detailed the attack process as OMA CP (Open Mobile Alliance Client Provisioning) instructions, which is a special SMS sent by a mobile operator to new devices for network connection. Attackers sending fake OMA CP messages to users, which allow them to allegedly access the victim’s email and web traffic.