Data-Leak Flaw Found In Newest Version Of Google AndroidData-Leak Flaw Found In Newest Version Of Google Android
'Gingerbread,' or Version 2.3, contains similar flaw as previous versions
January 28, 2011

Google's new Android version 2.3, a.k.a. Gingerbread, was supposed to close a previous data-leak hole in the smartphone operating system, but a researcher has discovered a new, similar hole in the OS.
Xuxian Jiang, a security researcher at NC State University, has tested and confirmed the bug on a Nexus S smartphone running Android 2.3. An attack would work like this: An Android user clicks on a malicious link in an email or in the browser, and an attacker could then read and upload any files on the phone's SD memory card, including things like online banking information, pictures, and saved voicemails. An attacker could also root out the phone's apps and upload them to a remote server, according to Jiang, who is an assistant professor in the computer science department.
Google's Android 2.3 was built to fix a similar flaw identified last year that gave an attacker access to files stored on the memory card. But NC State's discovery shows that Google's "fix" for the flaw can be bypassed.
"Unfortunately, our finding here is that the patch contained in Android 2.3 is not an ultimate fix and can still be bypassed. We have a proof-of-concept exploit with a stock Nexus S phone and are able to successfully exploit the vulnerability to steal potentially personal information from the phone," Jiang wrote in an alert.
Jiang says he contacted Google's Android security team on Wednesday, and that they have begun an investigation into the issue. "Google is fully aware of this issue and is actively working on the patch," he told Dark Reading. "I was told that a temporary fix is planned for an OTA update. But an ultimate fix will be likely in the next major release."
[UPDATE]: A Google spokesperson said in a statement: "We've incorporated a fix for an issue in the Android browser on a limited number of devices that could, under certain circumstances, allow for accessing application and other types of data stored on the phone. We're in communication with our partners."
The attack is not a root exploit, however: It runs in the Android sandbox, so e-mail and SMS messages can't be accessed by an attacker, according to Jiang. No active exploits have been spotted in the wild.
For now, Android users can protect themselves by disabling JavaScript support in the browser, or by using a third-party browser for now. Another option is to remove the SD card, he says.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication Methods
Oct 26, 2023Modern Supply Chain Security: Integrated, Interconnected, and Context-Driven
Nov 06, 2023How to Combat the Latest Cloud Security Threats
Nov 06, 2023Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and Phishing
Nov 01, 2023SecOps & DevSecOps in the Cloud
Nov 06, 2023