CVE-2020-8913 in Android
Summary
by MITRE
A local, arbitrary code execution vulnerability exists in the SplitCompat.install endpoint in Android's Play Core Library versions prior to 1.7.2. A malicious attacker could create an apk which targets a specific application, and if a victim were to install this apk, the attacker could perform a directory traversal, execute code as the targeted application and access the targeted application's data on the Android device. We recommend all users update Play Core to version 1.7.2 or later.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 12/04/2020
The vulnerability identified as CVE-2020-8913 represents a critical local privilege escalation issue within Android's Play Core Library ecosystem. This flaw specifically affects the SplitCompat.install endpoint functionality that handles dynamic module installation processes in Android applications. The vulnerability stems from inadequate input validation and path handling mechanisms within the library's core installation routines, creating a dangerous attack surface for malicious actors who can exploit this weakness to execute arbitrary code on affected devices.
The technical exploitation of this vulnerability occurs through a carefully crafted malicious apk file that targets a specific application installed on the device. When a victim installs this malicious package, the SplitCompat.install endpoint fails to properly validate the installation paths, allowing attackers to perform directory traversal attacks. This directory traversal capability enables the attacker to manipulate file system operations and gain unauthorized access to the targeted application's execution context. The flaw operates at the system level where the malicious code can execute with the same privileges as the targeted application, effectively compromising the application's security boundaries.
From an operational impact perspective, this vulnerability creates a severe threat landscape for Android users and developers alike. The attacker can execute code as the targeted application, which provides access to the application's private data, including user credentials, personal information, and application-specific storage. The compromised application environment allows for potential data exfiltration, persistence mechanisms, and further escalation attacks. This vulnerability is particularly dangerous because it operates silently during the installation process, making detection difficult for end users and security tools. The attack requires only a single installation action from the victim, making it highly effective for widespread exploitation.
Security professionals should note this vulnerability aligns with CWE-22 Directory Traversal and CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component, both of which are fundamental weaknesses in input validation and path handling. The attack pattern follows ATT&CK techniques including T1059 Command and Scripting Interpreter and T1068 Exploitation for Privilege Escalation. The vulnerability exists in versions prior to 1.7.2 of the Play Core Library, making version updates the primary recommended mitigation. Additionally, developers should implement proper input validation in their applications and consider using more secure installation mechanisms. Organizations should also monitor for suspicious installation patterns and maintain updated security tooling to detect potential exploitation attempts. The fix requires updating to Play Core Library version 1.7.2 or later, which includes proper path validation and sanitization measures that prevent the directory traversal attacks from succeeding.