'Gingerbread,' or Version 2.3, contains similar flaw as previous versions

Google's new Android version 2.3, a.k.a. Gingerbread, was supposed to close a previous data-leak hole in the smartphone operating system, but a researcher has discovered a new, similar hole in the OS.

Xuxian Jiang, a security researcher at NC State University, has tested and confirmed the bug on a Nexus S smartphone running Android 2.3. An attack would work like this: An Android user clicks on a malicious link in an email or in the browser, and an attacker could then read and upload any files on the phone's SD memory card, including things like online banking information, pictures, and saved voicemails. An attacker could also root out the phone's apps and upload them to a remote server, according to Jiang, who is an assistant professor in the computer science department.

Google's Android 2.3 was built to fix a similar flaw identified last year that gave an attacker access to files stored on the memory card. But NC State's discovery shows that Google's "fix" for the flaw can be bypassed.

"Unfortunately, our finding here is that the patch contained in Android 2.3 is not an ultimate fix and can still be bypassed. We have a proof-of-concept exploit with a stock Nexus S phone and are able to successfully exploit the vulnerability to steal potentially personal information from the phone," Jiang wrote in an alert.

Jiang says he contacted Google's Android security team on Wednesday, and that they have begun an investigation into the issue. "Google is fully aware of this issue and is actively working on the patch," he told Dark Reading. "I was told that a temporary fix is planned for an OTA update. But an ultimate fix will be likely in the next major release."

[UPDATE]: A Google spokesperson said in a statement: "We've incorporated a fix for an issue in the Android browser on a limited number of devices that could, under certain circumstances, allow for accessing application and other types of data stored on the phone. We're in communication with our partners."

The attack is not a root exploit, however: It runs in the Android sandbox, so e-mail and SMS messages can't be accessed by an attacker, according to Jiang. No active exploits have been spotted in the wild.

For now, Android users can protect themselves by disabling JavaScript support in the browser, or by using a third-party browser for now. Another option is to remove the SD card, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights