Mobile
2/19/2014
03:25 PM
Connect Directly
RSS
E-Mail
50%
50%

WebView Exploit Affects Most Android Phones

Critical bug affects devices running Jelly Bean (4.2) and earlier Android OSs, including fully updated versions of Google Glass, says Metasploit.

9 Notorious Hackers Of 2013
9 Notorious Hackers Of 2013
(Click image for larger view and for slideshow.)

An exploit for a vulnerability that affects an estimated 70% of all Android devices has been added to the Metasploit open-source penetration testing framework.

The "single-click" Metasploit exploit targets a vulnerability in a WebView component that's used by the native Android browser, although the component can also be used by other apps. Although the vulnerability has been present in some devices for nearly two years, it wasn't publicly disclosed until 14 months ago.

"This vulnerability is kind of a huge deal," said Tod Beardsley, the technical lead for the Metasploit Framework, in a blog post. "I'm hopeful that by publishing an E-Z-2-Use Metasploit module that exploits it, we can maybe push some vendors toward ensuring that single-click vulnerabilities like this don't last for 93+ weeks in the wild."

The underlying privilege-escalation flaw, which involves a Java reflection API vulnerability, exists in versions of WebView prior to 4.2, and results from that component -- in some cases -- allow untrusted JavaScript code to be executed. As a result, an attacker could exploit the flaw to execute arbitrary commands.

[Major sites continue to fall victim to hackers. Read Yahoo Ads Hack Spreads Malware.] 

According to Google, at least 73% of in-use Android devices run version 4.1 or earlier of the mobile operating system.

The Metasploit module was created by Rapid7 developer Joe Vennix and Accuvant Labs security researcher Joshua Drake. Drake reported on Reddit that the vulnerability has been successfully exploited -- via the built-in Android browser -- on pre-4.2 devices, including Google Glass. "I can confirm it not only affects the stock browser but it affects Google Glass in its fully updated form (Android 4.0.4)," said Drake.

According to an attack-demonstration video published by Rapid7, the bug can be exploited by tricking a user into scanning a malicious QR code that includes the attack code, which then triggers the vulnerability in the Android browser and gives the attacker command-shell access to the device.

(Source: Wikipedia)
(Source: Wikipedia)

But the vulnerability can be exploited in other ways, too. "A secondary attack vector involves the WebViews embedded inside a large number of Android applications," says an overview published by Rapid7. "Ad integrations are perhaps the worst offender here." In particular, if an attacker could gain man-in-the-middle access to a vulnerable application's HTML connection, or to the cross-site scripting code used by the application, then the attacker could inject the malicious JavaScript code and gain command-shell access to the device.

How can Android users protect themselves against the vulnerability? That's an open question. "Who do you lean on to get this patched? The big box retailer who sold it to you? The manufacturer of the phone hardware? The cellphone service provider? Google?" said Rapid7's Beardsley. "It may seem a little spurious, but it's a question that's going to be asked by journalists, wonks, and -- hopefully -- consumer protection groups in the coming weeks."

The problem of device manufacturers that ship products with Android installed and then fail to update them in a timely manner led the American Civil Liberties Union to file a complaint with the Federal Trade Commission last year. The ACLU requested that the agency investigate the country's four major wireless carriers for unfair business practices, on the grounds that they hold customers to long-term contracts, yet often fail to keep those customers' devices secure.

Pending patches from handset manufacturers and carriers, what else could be done to arrest these types of vulnerabilities? Cutting down on the fragmentation of the Android ecosystem would be a good start.

On that front, a leaked memo that surfaced Sunday suggests that Google is aiming to prevent handset manufacturers from releasing devices that don't sport the latest version of the Android operating system, Mobile Bloom News first reported.

Google's carrot -- and stick -- for handset makers is that by using the latest version of Android, their devices will have access to Google Mobile Services (GMS), meaning the Google Services Framework and Google Play Store.

Or in the words of the memo: "Starting February 2014, Google will no longer approve GMS distribution on new Android products that ship older platform releases. Each platform release will have a 'GMS approval window' that typically closes nine months after the next Android platform release is publicly available. (In other words, we all have nine months to get new products on the latest platform after its public release.)"

That push for handset vendors to build the latest, or at least a very recent, version of Android into their devices would carry information security benefits, too, because newer versions of the operating system include patches for a number of well known vulnerabilities.

That said, Google still faces an uphill battle when it comes to getting device manufacturers to issue timely security updates -- or in some cases, any patches at all -- for devices they have already sold.

The NSA leak showed that one rogue insider can do massive damage. Use these three steps to keep your information safe from internal threats. Also in the Stop Data Leaks issue of Dark Reading: Technology is critical, but corporate culture also plays a central role in stopping a big breach. (Free registration required.)

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Number 6
50%
50%
Number 6,
User Rank: Apprentice
2/20/2014 | 2:16:52 PM
Re: Android's uphill battle
They already have your money and unless you root your phone, they're in full control. Samsung seems more interested in updating its Push Service, whatever that does.
Number 6
50%
50%
Number 6,
User Rank: Apprentice
2/20/2014 | 2:15:21 PM
Re: 93 weeks?
I haven't seen these companies, other than antivirus/firewall manufacturers, saying they put security first. It's like when car companies didn't want to advertise safety features because they feared the ads would remind drivers that their cars could crash. Volvo showed them that safety sells. But so far Samsung, Apple, ATT, Verizon, etc don't sell security except for your house. Irony noted.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Moderator
2/19/2014 | 4:59:51 PM
93 weeks?
Has this vulnerability really been left untended for 93 weeks? That's a pretty dismal response from companies that claim to put security first.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/19/2014 | 4:59:41 PM
Android's uphill battle
 You would think device manufacturers would know that timely patching is critical to the success of their products. Or am I missing something? 

 
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Containing Corporate Data on Mobile Devices
Containing Corporate Data on Mobile Devices
If you’re still focused on securing endpoints, you’ve got your work cut out for you. WiFi network provider iPass surveyed 1,600 mobile workers and found that the average US employee carries three devices -- a smartphone, a computer, and a tablet or e-reader -- with more than 80% of them doing work on personal devices.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2006-1318
Published: 2014-09-19
Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, Office 2004 for Mac, and Office X for Mac do not properly parse record lengths, which allows remote attackers to execute arbitrary code via a malformed control in an Office document, aka "Microsoft Office Control Vulnerability."

CVE-2012-2588
Published: 2014-09-19
Multiple cross-site scripting (XSS) vulnerabilities in MailEnable Enterprise 6.5 allow remote attackers to inject arbitrary web script or HTML via the (1) From, (2) To, or (3) Subject header or (4) body in an SMTP e-mail message.

CVE-2012-6659
Published: 2014-09-19
Cross-site scripting (XSS) vulnerability in the admin interface in Phorum before 5.2.19 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-1391
Published: 2014-09-19
QT Media Foundation in Apple OS X before 10.9.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted movie file with RLE encoding.

CVE-2014-3614
Published: 2014-09-19
Unspecified vulnerability in PowerDNS Recursor (aka pdns_recursor) 3.6.x before 3.6.1 allows remote attackers to cause a denial of service (crash) via an unknown sequence of malformed packets.

Best of the Web
Dark Reading Radio