Mobile
2/19/2014
03:25 PM
50%
50%

WebView Exploit Affects Most Android Phones

Critical bug affects devices running Jelly Bean (4.2) and earlier Android OSs, including fully updated versions of Google Glass, says Metasploit.

9 Notorious Hackers Of 2013
9 Notorious Hackers Of 2013
(Click image for larger view and for slideshow.)

An exploit for a vulnerability that affects an estimated 70% of all Android devices has been added to the Metasploit open-source penetration testing framework.

The "single-click" Metasploit exploit targets a vulnerability in a WebView component that's used by the native Android browser, although the component can also be used by other apps. Although the vulnerability has been present in some devices for nearly two years, it wasn't publicly disclosed until 14 months ago.

"This vulnerability is kind of a huge deal," said Tod Beardsley, the technical lead for the Metasploit Framework, in a blog post. "I'm hopeful that by publishing an E-Z-2-Use Metasploit module that exploits it, we can maybe push some vendors toward ensuring that single-click vulnerabilities like this don't last for 93+ weeks in the wild."

The underlying privilege-escalation flaw, which involves a Java reflection API vulnerability, exists in versions of WebView prior to 4.2, and results from that component -- in some cases -- allow untrusted JavaScript code to be executed. As a result, an attacker could exploit the flaw to execute arbitrary commands.

[Major sites continue to fall victim to hackers. Read Yahoo Ads Hack Spreads Malware.] 

According to Google, at least 73% of in-use Android devices run version 4.1 or earlier of the mobile operating system.

The Metasploit module was created by Rapid7 developer Joe Vennix and Accuvant Labs security researcher Joshua Drake. Drake reported on Reddit that the vulnerability has been successfully exploited -- via the built-in Android browser -- on pre-4.2 devices, including Google Glass. "I can confirm it not only affects the stock browser but it affects Google Glass in its fully updated form (Android 4.0.4)," said Drake.

According to an attack-demonstration video published by Rapid7, the bug can be exploited by tricking a user into scanning a malicious QR code that includes the attack code, which then triggers the vulnerability in the Android browser and gives the attacker command-shell access to the device.

(Source: Wikipedia)
(Source: Wikipedia)

But the vulnerability can be exploited in other ways, too. "A secondary attack vector involves the WebViews embedded inside a large number of Android applications," says an overview published by Rapid7. "Ad integrations are perhaps the worst offender here." In particular, if an attacker could gain man-in-the-middle access to a vulnerable application's HTML connection, or to the cross-site scripting code used by the application, then the attacker could inject the malicious JavaScript code and gain command-shell access to the device.

How can Android users protect themselves against the vulnerability? That's an open question. "Who do you lean on to get this patched? The big box retailer who sold it to you? The manufacturer of the phone hardware? The cellphone service provider? Google?" said Rapid7's Beardsley. "It may seem a little spurious, but it's a question that's going to be asked by journalists, wonks, and -- hopefully -- consumer protection groups in the coming weeks."

The problem of device manufacturers that ship products with Android installed and then fail to update them in a timely manner led the American Civil Liberties Union to file a complaint with the Federal Trade Commission last year. The ACLU requested that the agency investigate the country's four major wireless carriers for unfair business practices, on the grounds that they hold customers to long-term contracts, yet often fail to keep those customers' devices secure.

Pending patches from handset manufacturers and carriers, what else could be done to arrest these types of vulnerabilities? Cutting down on the fragmentation of the Android ecosystem would be a good start.

On that front, a leaked memo that surfaced Sunday suggests that Google is aiming to prevent handset manufacturers from releasing devices that don't sport the latest version of the Android operating system, Mobile Bloom News first reported.

Google's carrot -- and stick -- for handset makers is that by using the latest version of Android, their devices will have access to Google Mobile Services (GMS), meaning the Google Services Framework and Google Play Store.

Or in the words of the memo: "Starting February 2014, Google will no longer approve GMS distribution on new Android products that ship older platform releases. Each platform release will have a 'GMS approval window' that typically closes nine months after the next Android platform release is publicly available. (In other words, we all have nine months to get new products on the latest platform after its public release.)"

That push for handset vendors to build the latest, or at least a very recent, version of Android into their devices would carry information security benefits, too, because newer versions of the operating system include patches for a number of well known vulnerabilities.

That said, Google still faces an uphill battle when it comes to getting device manufacturers to issue timely security updates -- or in some cases, any patches at all -- for devices they have already sold.

The NSA leak showed that one rogue insider can do massive damage. Use these three steps to keep your information safe from internal threats. Also in the Stop Data Leaks issue of Dark Reading: Technology is critical, but corporate culture also plays a central role in stopping a big breach. (Free registration required.)

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Number 6
50%
50%
Number 6,
User Rank: Apprentice
2/20/2014 | 2:16:52 PM
Re: Android's uphill battle
They already have your money and unless you root your phone, they're in full control. Samsung seems more interested in updating its Push Service, whatever that does.
Number 6
50%
50%
Number 6,
User Rank: Apprentice
2/20/2014 | 2:15:21 PM
Re: 93 weeks?
I haven't seen these companies, other than antivirus/firewall manufacturers, saying they put security first. It's like when car companies didn't want to advertise safety features because they feared the ads would remind drivers that their cars could crash. Volvo showed them that safety sells. But so far Samsung, Apple, ATT, Verizon, etc don't sell security except for your house. Irony noted.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
2/19/2014 | 4:59:51 PM
93 weeks?
Has this vulnerability really been left untended for 93 weeks? That's a pretty dismal response from companies that claim to put security first.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/19/2014 | 4:59:41 PM
Android's uphill battle
 You would think device manufacturers would know that timely patching is critical to the success of their products. Or am I missing something? 

 
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] Assessing Cybersecurity Risk
[Strategic Security Report] Assessing Cybersecurity Risk
As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.