Android Browser Exploit Identified (2/21/2014)

An exploit has been circulating that takes advantage of vulnerabilities in the default Android browser on Android  4.1 and older. Though there have been no reported exploits of the vulnerability in the wild, an exploit has been demonstrated by the Rapid7 security group. Google has fixed the bug in new Android releases beginning with Android 4.2, released on November 13, 2012, but Android 4.2 and above is only available on a small subset of Android devices and is available only when allowed by the device manufacturers. Further, Google has no mechanism for deploying in-situ security patches to Android devices running older versions for the Android browser at this time.

To mitigate the vulnerability, users of Android 4.1 and previous are encouraged to do three things:

1. Download and use an alternative web browser from the Google Play Store, such as Chrome or Firefox. Browsers on the Play Store receive regular updates not in sync with the Android update cycle.

2. Review the data stored on the device and, if planning to continue to use the default Android browser, remove any sensitive or confidential University data from the device (including email, Box account, etc).

3. (Optional) Disable the built-in browser completely by navigating to Settings – Apps – All Apps – Browser, and selecting ‘Disable’. This will hide the browser from the device app list.

Further, all users of mobile devices should carefully consider future mobile purchases in light of this exploit. While Google’s decision to allow Android to be an “open” platform has given device manufacturers unprecedented freedom in the look and feel of their device UIs, it has also created a situation in which security updates for native applications are impeded from being rolled out effectively. This is far less of a problem with Google Experience devices, including the Nexus line, which receive the latest updates far more quickly than other Android devices, and is not a problem with iOS or Windows Phone devices.

Detailed information

The vulnerability exploits a critical bug in Android’s default browser identified nearly 14 months ago that allows the injection of infected Java objects into the browser. This code, in conjunction with JavaScript, can then be used to control phone functionality. Last week, a module was published to Metasploit that demonstrates an attacker’s capability to remotely access a phone's camera, file system, geographic location, SD card contents, and address books, among other resources.

The Android version can be found under Settings – About Phone. Any version of Android numbered 4.1.x and lower is vulnerable; devices running Android 4.2 and higher are not vulnerable.

For technical reference

Print This Page Share:
Date Posted: February 21, 2014 Tags: Information Security and Privacy

Was this information helpful?

Login with PennKey to view and post comments