Security researchers at Check Point Research have reported a problem that popular Android apps from the Play Store remain unpatched. Because of this, hackers can get location data from Instagram, change Facebook messages, and read WeChat users' messages.
Many people believe that regularly updating applications to the latest version allows you to reliably protect yourself from malicious attacks. However, it turned out that this is not the case in all cases. Check Point researchers found that patches in apps such as Facebook, Instagram, and WeChat were not actually applied in the Play Store. This was discovered by scanning for a month the latest versions of a number of popular Android applications for vulnerabilities that the developers were aware of. As a result, it was found that despite regular updates to some applications, vulnerabilities remain open that allow arbitrary code to be executed to gain administrative control over applications.
Cross-analysis of the latest versions of the mentioned applications for the presence of three RCE vulnerabilities, the oldest of which dates back to 2014, showed the presence of vulnerable code in Facebook, Instagram and WeChat. This situation is due to the fact that mobile applications use dozens of reusable components, which are called native libraries and are created on the basis of open source projects. Such libraries are created by third-party developers who do not have access to them by the time the vulnerability is discovered. Because of this, an application can use an outdated version of the code for years, even if vulnerabilities are discovered in it.
The researchers believe that Google should pay more attention to the control of updates that developers release for their products. The process of updating components written by third-party developers should also be controlled.
Check Point has reported the issues to mobile app developers Facebook, Instagram and WeChat, as well as Google. Users are advised to use anti-virus software that can monitor vulnerable applications on a mobile gadget.
Source: 3dnews.ru