Mobile
2/19/2014
03:25 PM
Connect Directly
RSS
E-Mail
50%
50%

WebView Exploit Affects Most Android Phones

Critical bug affects devices running Jelly Bean (4.2) and earlier Android OSs, including fully updated versions of Google Glass, says Metasploit.

9 Notorious Hackers Of 2013
9 Notorious Hackers Of 2013
(Click image for larger view and for slideshow.)

An exploit for a vulnerability that affects an estimated 70% of all Android devices has been added to the Metasploit open-source penetration testing framework.

The "single-click" Metasploit exploit targets a vulnerability in a WebView component that's used by the native Android browser, although the component can also be used by other apps. Although the vulnerability has been present in some devices for nearly two years, it wasn't publicly disclosed until 14 months ago.

"This vulnerability is kind of a huge deal," said Tod Beardsley, the technical lead for the Metasploit Framework, in a blog post. "I'm hopeful that by publishing an E-Z-2-Use Metasploit module that exploits it, we can maybe push some vendors toward ensuring that single-click vulnerabilities like this don't last for 93+ weeks in the wild."

The underlying privilege-escalation flaw, which involves a Java reflection API vulnerability, exists in versions of WebView prior to 4.2, and results from that component -- in some cases -- allow untrusted JavaScript code to be executed. As a result, an attacker could exploit the flaw to execute arbitrary commands.

[Major sites continue to fall victim to hackers. Read Yahoo Ads Hack Spreads Malware.] 

According to Google, at least 73% of in-use Android devices run version 4.1 or earlier of the mobile operating system.

The Metasploit module was created by Rapid7 developer Joe Vennix and Accuvant Labs security researcher Joshua Drake. Drake reported on Reddit that the vulnerability has been successfully exploited -- via the built-in Android browser -- on pre-4.2 devices, including Google Glass. "I can confirm it not only affects the stock browser but it affects Google Glass in its fully updated form (Android 4.0.4)," said Drake.

According to an attack-demonstration video published by Rapid7, the bug can be exploited by tricking a user into scanning a malicious QR code that includes the attack code, which then triggers the vulnerability in the Android browser and gives the attacker command-shell access to the device.

(Source: Wikipedia)
(Source: Wikipedia)

But the vulnerability can be exploited in other ways, too. "A secondary attack vector involves the WebViews embedded inside a large number of Android applications," says an overview published by Rapid7. "Ad integrations are perhaps the worst offender here." In particular, if an attacker could gain man-in-the-middle access to a vulnerable application's HTML connection, or to the cross-site scripting code used by the application, then the attacker could inject the malicious JavaScript code and gain command-shell access to the device.

How can Android users protect themselves against the vulnerability? That's an open question. "Who do you lean on to get this patched? The big box retailer who sold it to you? The manufacturer of the phone hardware? The cellphone service provider? Google?" said Rapid7's Beardsley. "It may seem a little spurious, but it's a question that's going to be asked by journalists, wonks, and -- hopefully -- consumer protection groups in the coming weeks."

The problem of device manufacturers that ship products with Android installed and then fail to update them in a timely manner led the American Civil Liberties Union to file a complaint with the Federal Trade Commission last year. The ACLU requested that the agency investigate the country's four major wireless carriers for unfair business practices, on the grounds that they hold customers to long-term contracts, yet often fail to keep those customers' devices secure.

Pending patches from handset manufacturers and carriers, what else could be done to arrest these types of vulnerabilities? Cutting down on the fragmentation of the Android ecosystem would be a good start.

On that front, a leaked memo that surfaced Sunday suggests that Google is aiming to prevent handset manufacturers from releasing devices that don't sport the latest version of the Android operating system, Mobile Bloom News first reported.

Google's carrot -- and stick -- for handset makers is that by using the latest version of Android, their devices will have access to Google Mobile Services (GMS), meaning the Google Services Framework and Google Play Store.

Or in the words of the memo: "Starting February 2014, Google will no longer approve GMS distribution on new Android products that ship older platform releases. Each platform release will have a 'GMS approval window' that typically closes nine months after the next Android platform release is publicly available. (In other words, we all have nine months to get new products on the latest platform after its public release.)"

That push for handset vendors to build the latest, or at least a very recent, version of Android into their devices would carry information security benefits, too, because newer versions of the operating system include patches for a number of well known vulnerabilities.

That said, Google still faces an uphill battle when it comes to getting device manufacturers to issue timely security updates -- or in some cases, any patches at all -- for devices they have already sold.

The NSA leak showed that one rogue insider can do massive damage. Use these three steps to keep your information safe from internal threats. Also in the Stop Data Leaks issue of Dark Reading: Technology is critical, but corporate culture also plays a central role in stopping a big breach. (Free registration required.)

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Number 6
50%
50%
Number 6,
User Rank: Apprentice
2/20/2014 | 2:16:52 PM
Re: Android's uphill battle
They already have your money and unless you root your phone, they're in full control. Samsung seems more interested in updating its Push Service, whatever that does.
Number 6
50%
50%
Number 6,
User Rank: Apprentice
2/20/2014 | 2:15:21 PM
Re: 93 weeks?
I haven't seen these companies, other than antivirus/firewall manufacturers, saying they put security first. It's like when car companies didn't want to advertise safety features because they feared the ads would remind drivers that their cars could crash. Volvo showed them that safety sells. But so far Samsung, Apple, ATT, Verizon, etc don't sell security except for your house. Irony noted.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Moderator
2/19/2014 | 4:59:51 PM
93 weeks?
Has this vulnerability really been left untended for 93 weeks? That's a pretty dismal response from companies that claim to put security first.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/19/2014 | 4:59:41 PM
Android's uphill battle
 You would think device manufacturers would know that timely patching is critical to the success of their products. Or am I missing something? 

 
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Containing Corporate Data on Mobile Devices
Containing Corporate Data on Mobile Devices
If you’re still focused on securing endpoints, you’ve got your work cut out for you. WiFi network provider iPass surveyed 1,600 mobile workers and found that the average US employee carries three devices -- a smartphone, a computer, and a tablet or e-reader -- with more than 80% of them doing work on personal devices.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2363
Published: 2014-07-26
Morpho Itemiser 3 8.17 has hardcoded administrative credentials, which makes it easier for remote attackers to obtain access via a login request.

CVE-2014-3071
Published: 2014-07-26
Cross-site scripting (XSS) vulnerability in the Data Quality Console in IBM InfoSphere Information Server 11.3 allows remote attackers to inject arbitrary web script or HTML via a crafted URL for adding a project connection.

CVE-2014-3301
Published: 2014-07-26
The ProfileAction controller in Cisco WebEx Meetings Server (CWMS) 1.5(.1.131) and earlier allows remote attackers to obtain sensitive information by reading stack traces in returned messages, aka Bug ID CSCuj81700.

CVE-2014-3305
Published: 2014-07-26
Cross-site request forgery (CSRF) vulnerability in the web framework in Cisco WebEx Meetings Server 1.5(.1.131) and earlier allows remote attackers to hijack the authentication of unspecified victims via unknown vectors, aka Bug ID CSCuj81735.

CVE-2014-3324
Published: 2014-07-26
Multiple cross-site scripting (XSS) vulnerabilities in the login page in the administrative web interface in Cisco TelePresence Server Software 4.0(2.8) allow remote attackers to inject arbitrary web script or HTML via a crafted parameter, aka Bug ID CSCup90060.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.