A new flaw allows malicious apps to steal login details, messages, and other sensitive data from Android phones via a vulnerability affecting popular apps such as Edge Browser, OKCupid, XRecorder, and PowerDirector.
Security researchers from Check Point discovered a vulnerability tied to the Google Play Core Library, a collection of code designed to make updates across different kinds of apps smoother and easier for the user.
However, the vulnerability would’ve allowed malicious apps to, according to Ars Technica “copy files to a folder that was supposed to be reserved only for trusted code,” which meant a bad app could deliver malicious code through a trusted app, making even legitimate apps dangerous to the user.
This malicious code could be used to obtain 2FA codes, passwords, social media private messages, text messages, location data, and more. The affected apps included:
- Cisco Teams
- Yango Pro (Taximeter)
Of the affected apps, Booking, Viber, Grindr, Moovit, and Cisco Teams have patched the vulnerability with a recent update. If you have any of those apps, update them immediately to ensure you have the most recent and secure version.
If you have any of the other apps, we recommend deleting them until you’re sure they have updated their apps to fix the vulnerability. Both Ars Technica and Check Point are updating their article as more apps respond and fix the vulnerability so check back often.