Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

WebView Exploit Affects Most Android Phones

Critical bug affects devices running Jelly Bean (4.2) and earlier Android OSs, including fully updated versions of Google Glass, says Metasploit.

9 Notorious Hackers Of 2013
9 Notorious Hackers Of 2013
(Click image for larger view and for slideshow.)

An exploit for a vulnerability that affects an estimated 70% of all Android devices has been added to the Metasploit open-source penetration testing framework.

The "single-click" Metasploit exploit targets a vulnerability in a WebView component that's used by the native Android browser, although the component can also be used by other apps. Although the vulnerability has been present in some devices for nearly two years, it wasn't publicly disclosed until 14 months ago.

"This vulnerability is kind of a huge deal," said Tod Beardsley, the technical lead for the Metasploit Framework, in a blog post. "I'm hopeful that by publishing an E-Z-2-Use Metasploit module that exploits it, we can maybe push some vendors toward ensuring that single-click vulnerabilities like this don't last for 93+ weeks in the wild."

The underlying privilege-escalation flaw, which involves a Java reflection API vulnerability, exists in versions of WebView prior to 4.2, and results from that component -- in some cases -- allow untrusted JavaScript code to be executed. As a result, an attacker could exploit the flaw to execute arbitrary commands.

[Major sites continue to fall victim to hackers. Read Yahoo Ads Hack Spreads Malware.] 

According to Google, at least 73% of in-use Android devices run version 4.1 or earlier of the mobile operating system.

The Metasploit module was created by Rapid7 developer Joe Vennix and Accuvant Labs security researcher Joshua Drake. Drake reported on Reddit that the vulnerability has been successfully exploited -- via the built-in Android browser -- on pre-4.2 devices, including Google Glass. "I can confirm it not only affects the stock browser but it affects Google Glass in its fully updated form (Android 4.0.4)," said Drake.

According to an attack-demonstration video published by Rapid7, the bug can be exploited by tricking a user into scanning a malicious QR code that includes the attack code, which then triggers the vulnerability in the Android browser and gives the attacker command-shell access to the device.

But the vulnerability can be exploited in other ways, too. "A secondary attack vector involves the WebViews embedded inside a large number of Android applications," says an overview published by Rapid7. "Ad integrations are perhaps the worst offender here." In particular, if an attacker could gain man-in-the-middle access to a vulnerable application's HTML connection, or to the cross-site scripting code used by the application, then the attacker could inject the malicious JavaScript code and gain command-shell access to the device.

How can Android users protect themselves against the vulnerability? That's an open question. "Who do you lean on to get this patched? The big box retailer who sold it to you? The manufacturer of the phone hardware? The cellphone service provider? Google?" said Rapid7's Beardsley. "It may seem a little spurious, but it's a question that's going to be asked by journalists, wonks, and -- hopefully -- consumer protection groups in the coming weeks."

The problem of device manufacturers that ship products with Android installed and then fail to update them in a timely manner led the American Civil Liberties Union to file a complaint with the Federal Trade Commission last year. The ACLU requested that the agency investigate the country's four major wireless carriers for unfair business practices, on the grounds that they hold customers to long-term contracts, yet often fail to keep those customers' devices secure.

Pending patches from handset manufacturers and carriers, what else could be done to arrest these types of vulnerabilities? Cutting down on the fragmentation of the Android ecosystem would be a good start.

On that front, a leaked memo that surfaced Sunday suggests that Google is aiming to prevent handset manufacturers from releasing devices that don't sport the latest version of the Android operating system, Mobile Bloom News first reported.

Google's carrot -- and stick -- for handset makers is that by using the latest version of Android, their devices will have access to Google Mobile Services (GMS), meaning the Google Services Framework and Google Play Store.

Or in the words of the memo: "Starting February 2014, Google will no longer approve GMS distribution on new Android products that ship older platform releases. Each platform release will have a 'GMS approval window' that typically closes nine months after the next Android platform release is publicly available. (In other words, we all have nine months to get new products on the latest platform after its public release.)"

That push for handset vendors to build the latest, or at least a very recent, version of Android into their devices would carry information security benefits, too, because newer versions of the operating system include patches for a number of well known vulnerabilities.

That said, Google still faces an uphill battle when it comes to getting device manufacturers to issue timely security updates -- or in some cases, any patches at all -- for devices they have already sold.

The NSA leak showed that one rogue insider can do massive damage. Use these three steps to keep your information safe from internal threats. Also in the Stop Data Leaks issue of Dark Reading: Technology is critical, but corporate culture also plays a central role in stopping a big breach. (Free registration required.)

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Number 6
50%
50%
Number 6,
User Rank: Apprentice
2/20/2014 | 2:16:52 PM
Re: Android's uphill battle
They already have your money and unless you root your phone, they're in full control. Samsung seems more interested in updating its Push Service, whatever that does.
Number 6
50%
50%
Number 6,
User Rank: Apprentice
2/20/2014 | 2:15:21 PM
Re: 93 weeks?
I haven't seen these companies, other than antivirus/firewall manufacturers, saying they put security first. It's like when car companies didn't want to advertise safety features because they feared the ads would remind drivers that their cars could crash. Volvo showed them that safety sells. But so far Samsung, Apple, ATT, Verizon, etc don't sell security except for your house. Irony noted.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
2/19/2014 | 4:59:51 PM
93 weeks?
Has this vulnerability really been left untended for 93 weeks? That's a pretty dismal response from companies that claim to put security first.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/19/2014 | 4:59:41 PM
Android's uphill battle
 You would think device manufacturers would know that timely patching is critical to the success of their products. Or am I missing something? 

 
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29367
PUBLISHED: 2020-11-27
blosc2.c in Blosc C-Blosc2 through 2.0.0.beta.5 has a heap-based buffer overflow when there is a lack of space to write compressed data.
CVE-2020-26245
PUBLISHED: 2020-11-27
npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. The issue is fixed in version 4.30.5. If you cannot upgrade, be sure to check or sani...
CVE-2017-15682
PUBLISHED: 2020-11-27
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to inject malicious JavaScript code resulting in a stored/blind XSS in the admin panel.
CVE-2017-15683
PUBLISHED: 2020-11-27
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band.
CVE-2017-15684
PUBLISHED: 2020-11-27
Crafter CMS Crafter Studio 3.0.1 has a directory traversal vulnerability which allows unauthenticated attackers to view files from the operating system.