The latest versions of so many popular apps from Google Play are proved to carry vulnerabilities that can put users at risk with Remote Code Execution (RCE) attacks.
When we get the apps from the official parties, we usually assume that the security updates are applied and that once installed, the software will make sure that the app will have its fixes in time. But cybersecurity researchers stated that the patches that were supposed to fix the issues known for years from the most popular apps on the Google Play Store were not applied.
Researchers conducted a study in May about the presence of vulnerabilities in popular mobile apps. They showed that the use of third-party apps or open-source resources was the reason behind the old and vulnerable code still being there in the apps.
When such a vulnerability is found and fixed with an open-source project, they don’t have control over the libraries, which can also be affected by the vulnerability. They don’t have control of the apps that are using the library, either. This is the way an app keeps using the outdated version of the code many years after the vulnerability is found.
Researchers have taken a look at these targeted mobile apps, and they look for three RCE vulnerabilities from 2014, 2015, and 2016. Every bug had two signatures, and then hundreds of apps were scanned in the Google Play Store.
The very first thing they looked for was a stack-based buffer problem found in libFLAC before 1.3.1. This allowed the attackers to get RCE through a .flac fil, that’s been taken care of before. The .flac audio vulnerabilities and the libraries that used this code were found in four Yahoo! Apps, LiveXLive, and Moto Voice BETA.