Xuxian Jiang, a security researcher at NC State University, has tested and confirmed the bug on a Nexus S smartphone running Android 2.3. An attack would work like this: An Android user clicks on a malicious link in an email or in the browser, and an attacker could then read and upload any files on the phone's SD memory card, including things like online banking information, pictures, and saved voicemails. An attacker could also root out the phone's apps and upload them to a remote server, according to Jiang, who is an assistant professor in the computer science department.
Google's Android 2.3 was built to fix a similar flaw identified last year that gave an attacker access to files stored on the memory card. But NC State's discovery shows that Google's "fix" for the flaw can be bypassed.
"Unfortunately, our finding here is that the patch contained in Android 2.3 is not an ultimate fix and can still be bypassed. We have a proof-of-concept exploit with a stock Nexus S phone and are able to successfully exploit the vulnerability to steal potentially personal information from the phone," Jiang wrote in an alert.
Jiang says he contacted Google's Android security team on Wednesday, and that they have begun an investigation into the issue. "Google is fully aware of this issue and is actively working on the patch," he told Dark Reading. "I was told that a temporary fix is planned for an OTA update. But an ultimate fix will be likely in the next major release."
[UPDATE]: A Google spokesperson said in a statement: "We've incorporated a fix for an issue in the Android browser on a limited number of devices that could, under certain circumstances, allow for accessing application and other types of data stored on the phone. We're in communication with our partners."
The attack is not a root exploit, however: It runs in the Android sandbox, so e-mail and SMS messages can't be accessed by an attacker, according to Jiang. No active exploits have been spotted in the wild.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.