Most people think if they keep their mobile apps updated to the latest version, they also are patching for critical vulnerabilities. Not so, said researchers from Check Point Software, which discovered that outdated code—including known vulnerabilities—are still present in hundreds of popular apps on the Google Play Store, including Facebook, Instagram, WeChat and Yahoo Browser.
In a month-long study, Check Point Research cross-examined the latest versions of these and other high-profile mobile apps for three known remote control execution (RCE) vulnerabilities dating from 2014, 2015 and 2016, Check Point security researcher Slava Makkaveev revealed in research posted online Thursday.
Researchers assigned each vulnerability two signatures, then ran a static engine to examine hundreds of mobile applications in Google’s Play Store to see if old, vulnerable code was present in the latest version of the application.
What they found may surprise many: critical vulnerabilities that app makers claim has been patched still existed in the latest versions of popular mobile applications, according to Makkaveev.
“Just three vulnerabilities, all fixed over two years ago, make hundreds of apps potentially vulnerable to remote code execution,” he wrote. “Can you imagine how many popular apps an attacker can target if he scans Google Play for a hundred known vulnerabilities?”
The research proves that updates pushed out by apps manufacturers are not a failsafe to keeping mobile devices secure from threats, according to Check Point.
“Theoretically, threat actors can steal and alter posts on Facebook, extract location data from Instagram and read SMS messages in WeChat,” Check Point said in an email to Threatpost.
The research is more bad news for Google, which has struggled with keeping bad apps—some impersonating legitimate ones—from finding their way onto Google Play. Now users have to contend with legitimate apps containing malicious code even if they diligently keep them up to date.
The problem lies in very old code in the form of reusable components called native libraries that are still running on mobile apps and typically can’t be fixed with an update, according to Check Point.
Part of Check Point’s research focused on three critical vulnerabilities; a FLAC audio codec bug (CVE-2014-8962), a FFmpeg RTMP video streaming flaw (CVE-2015-8271) and a FFmpeg libavformat media handling issue (CVE-2016-3062).
“Just three vulnerabilities, all fixed over two years ago, make hundreds of apps potentially vulnerable to remote code execution,” researchers wrote.
This code is “often derived from open-source projects or incorporate fragments of code from open-source projects,” Makkaveev wrote. “When a vulnerability is found and fixed in an open-source project, its maintainers typically have no control over the native libraries which may be affected by the vulnerability, nor the apps using these native libraries.”
In this way, an app may keep using the outdated version of the code even years after the vulnerability is discovered and ostensibly fixed, he wrote.
“It may be overstating matters a bit to declare such an app vulnerable, as its flow may never reach the affected library code, but it certainly warrants an in-depth investigation by the app maintainers,” according to Makkaveev.
Check Point has informed the companies responsible for the applications that it found in its study were still vulnerable, including Google. For the time being, the security firm urges people to install an antivirus-app that monitors vulnerable apps on their mobile devices, the company said.
Is MFA enough to protect modern enterprises in the peak era of data breaches? How can you truly secure consumer accounts? Prevent account takeover? Find out: Catch our free, on-demand Threatpost webinar, “Trends in Fortune 1000 Breach Exposure” to hear advice from breach expert Chip Witt of SpyCloud. Click here to register.