A major crack in the Google Play Core Library might have granted access to unauthorized apps on Android to steal private user data. Play Core Library allows developers to download additional language resources, manage the delivery of feature modules and asset packs in their apps. Oversecured, an app security startup, was responsible for finding this flaw in Android.
The startup programmed a proof-of-concept app with minimal coding to test the vulnerability. They ran it on the Android version of Google Chrome, which was uploaded using the bugged Google Play Core Library. Sergey Toshin, the founder of Oversecured, said that their app was successful in retrieving classified user data like browsing history, passwords and login cookies. According to him, it was ‘pretty easy’ to cash in on the bug, TechCrunch notes.
This particular version of Google Play Core Library made it possible for apps to ‘inject modules’ into other apps and obtain private data such as passwords and credit card details from them. Toshin suggested developers update their Google Play Core Library to avoid any threats.
The bug was fixed in March by Google in which rated it 8.8/10 for the seriousness of its threat. A Google spokesperson said “We appreciate the researcher reporting this issue to us, and as a result, it was patched in March”