Google has always advertised Google Play Store not only as the Android app store but also as a trustworthy and secure source of apps. That security, however, is only as strong as Google Play services itself and when the code behind that becomes open to security exploits, the house can easily come crumbling down. Unfortunately, while Google has already plugged up a recent security hole in its Google Play Core Library, app developers aren’t doing their part and putting their own apps and their users at risk.
The Google Play Core Library, as the name implies, is one of the most basic and most fundamental components of Google’s mobile services that Android apps can use to make developers’ and users’ lives easier. It provides functionalities like downloading additional languages, assets, or features without having to update the app itself from Google Play Store. Pretty much all Android apps in the Play Store make use of these functions, making the Core Library a critical part of any Android app.
Unfortunately, a severe flaw in the Core Library took advantage of that functionality in order to make the library actually execute malicious code. Check Point Research goes into detail about how the exploit works and it is a pretty frightening vulnerability if left unaddressed. Fortunately, Google already patched the Play Core Library last April before the vulnerability was publicly disclosed in August.
Rather than end on that good note, however, the security researchers warn that app developers still haven’t updated to this most recent version of the Google Play Core Library. Unlike server-side fixes where Google does all the work on its end, this kind of fix has to be applied by app developers on their own by updating their apps to use the fixed version of the library. By its last count, they estimate 13% of apps on the Google Play Store haven’t yet.
This basically means that these apps and users are still vulnerable to this security flaw that is now known by security experts and hackers alike. While a few have responded to Check Point’s report and updated their apps, a few popular ones, including Microsoft Edge, Moovit, and Cyberlink PowerDirector have not.