Strategic Security Survey: Global Threat, Local Pain

Some versions of the Android operating system -- though not the current one, version 2.2 -- are vulnerable to being remotely exploited.

That warning comes by way of a presentation, "Better Watch Your Apps," made Thursday by security researcher MJ Keith at the National Information Security Group (NAISG) HouSecCon conference in Houston. Keith, who works for log management, intrusion detection, and cloud security vendor Alert Logic, also released a YouTube video to demonstrate how his Android browser shell remote script could be used to run command-line code via a drive-by attack -- that is, after a user visited a malicious website.

On Friday, details of the "Android 2.0-2.1 Reverse Shell Exploit" vulnerability submitted by Keith also appeared on Exploit Database.

If successfully exploited, the vulnerability could give an attacker control of the Android browser. Due to sandboxing in the Android operating system, however, an attacker would only have access to what the Android browser can access.

The vulnerability stems from WebKit, the open-source rendering engine used in the Android -- as well as iPhone -- browsers. On a related note, a recent study from Cenzic found that the sharp rise in vulnerabilities affecting Apple Safari and Google Chrome could be traced to WebKit bugs.

The WebKit vulnerability exploited by Keith had been previously disclosed for Apple Safari, but not tied to Android.

Google acknowledged the vulnerability. "We're aware of an issue in WebKit that could potentially impact only old versions of the Android browser," said a Google spokesperson via email. "The issue does not affect Android 2.2 or later versions."

According to Google, as of Monday, about 36% of all Android devices were running version 2.2 of the operating system, while 41% were running version 2.1.