Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Android vulnerability still a threat to many devices nearly two years later

Lucian Constantin | Aug. 4, 2014
Security researchers have recently found a vulnerability that could be used to hijack Android apps and devices, but an older issue that can have the same effect remains a significant threat nearly two years after its discovery, according to security firm Bromium.

android malware

Security researchers have recently found a vulnerability that could be used to hijack Android apps and devices, but an older issue that can have the same effect remains a significant threat nearly two years after its discovery, according to security firm Bromium.

The issue was reported in December 2012 and concerns an Android API (application programming interface) called addJavascriptInterface that allows applications to expose their native code to Web code running inside a WebView, an instance of Android's Web browser engine.

A large number of applications and advertising frameworks embedded into applications use WebView to display Web content loaded from remote servers — for example, ads. The problem is that many of these apps don't load the WebView content over an encrypted HTTPS (HTTP Secure) connection.

This lack of data transport encryption allows attackers who intercept connections coming from such an app to inject rogue JavaScript code into its traffic. This is known as a man-in-the-middle attack and there are several methods to pull it off, especially on wireless networks.

If an app doesn't encrypt its traffic, uses WebView and also uses addJavascriptInterface, an attacker can inject JavaScript code to gain access to the app's functionality and abuse its permissions on the system. Researchers have also shown that it's possible for attackers to exploit this weakness in order to open a reverse TCP shell back to a server under their control in order to execute commands on the underlying device.

Furthermore, an attacker could combine this remote code execution attack through addJavascriptInterface with one of several privilege escalation vulnerabilities that affect various Android versions in order to run commands as root and essentially gain full control over the device.

"The futex vulnerability for instance (CVE-2014-3153) affects every Linux kernel version currently used by Android and was recently used to successfully root the Galaxy S5 for the first time," the Bromium security researchers said in a blog post Thursday.

Google implemented a fix for the addJavascriptInterface attack in Android API level 17, which corresponds to Android 4.2, released in November 2012. However, many applications and devices remain vulnerable.

"In order to be compatible with the widest number of devices, apps and ad frameworks are often built against the lowest possible API version," the Bromium researchers said. "The upshot is that an app can be vulnerable even when running on a fully patched Android device running 4.2, 4.3 or 4.4."

The researchers downloaded a random 102,189 free apps from the Google Play store in May and tested them. They found that 13,119 of them, or 12.8 percent, were potentially vulnerable because they were using addJavascriptInterface.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.