CVE-2020-8913

Name of the Vulnerable Software and Affected Versions Google Play Core Library versions prior to 1.7.2

Description A local, arbitrary code execution issue exists in the SplitCompat.install endpoint in Android's Play Core Library. This allows a malicious attacker to create an apk that targets a specific application, potentially leading to directory traversal, code execution as the targeted application, and access to the targeted application's data on the Android device. The vulnerability is estimated to affect approximately 13% of Android applications, with around 8% still using the vulnerable library. This could put millions of users at risk of code injection attacks, such as intercepting SMS two-factor authentication in banking apps or accessing secret conversations in messaging apps.

Recommendations Update Play Core to version 1.7.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the SplitCompat.install endpoint until a patch is available. Avoid using the vulnerable library in applications until the issue is resolved. For applications using the Google Play Core Library, ensure that all updates are installed from trusted sources to minimize the risk of exploitation.