Android Vulnerable To Drive-By Attack

Security researcher details code to remotely exploit the browser in Android OS 2.1 or earlier.

Mathew J. Schwartz, Contributor

November 5, 2010

2 Min Read
Dark Reading logo in a gray background | Dark Reading

Strategic Security Survey: Global Threat, Local Pain

Strategic Security Survey: Global Threat, Local Pain


Strategic Security Survey: Global Threat, Local Pain (click image for larger view and for full slideshow)

Some versions of the Android operating system -- though not the current one, version 2.2 -- are vulnerable to being remotely exploited.

That warning comes by way of a presentation, "Better Watch Your Apps," made Thursday by security researcher MJ Keith at the National Information Security Group (NAISG) HouSecCon conference in Houston. Keith, who works for log management, intrusion detection, and cloud security vendor Alert Logic, also released a YouTube video to demonstrate how his Android browser shell remote script could be used to run command-line code via a drive-by attack -- that is, after a user visited a malicious website.

On Friday, details of the "Android 2.0-2.1 Reverse Shell Exploit" vulnerability submitted by Keith also appeared on Exploit Database.

If successfully exploited, the vulnerability could give an attacker control of the Android browser. Due to sandboxing in the Android operating system, however, an attacker would only have access to what the Android browser can access.

The vulnerability stems from WebKit, the open-source rendering engine used in the Android -- as well as iPhone -- browsers. On a related note, a recent study from Cenzic found that the sharp rise in vulnerabilities affecting Apple Safari and Google Chrome could be traced to WebKit bugs.

The WebKit vulnerability exploited by Keith had been previously disclosed for Apple Safari, but not tied to Android.

Google acknowledged the vulnerability. "We're aware of an issue in WebKit that could potentially impact only old versions of the Android browser," said a Google spokesperson via email. "The issue does not affect Android 2.2 or later versions."

According to Google, as of Monday, about 36% of all Android devices were running version 2.2 of the operating system, while 41% were running version 2.1.

About the Author

Mathew J. Schwartz

Contributor

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights