Android WebView exploit published, most devices vulnerable to old bug

Share this article:
Android WebView exploit published, most devices vulnerable to old bug
Android WebView exploit published, most devices vulnerable to old bug

Researchers warn that the majority of Android devices are vulnerable to a WebView exploit that leverages a nearly two-year-old vulnerability in the mobile platform.

The bug, a privilege escalation vulnerability in Android's WebView programming interface, impacts Android platforms older than version 4.2 and could give an attacker remote access to users' cameras, file systems, call logs, text messages, contacts and other device data.

Although Google provided a fix for the vulnerability back in November, researchers are concerned about the number of users who have yet to receive an update from their service provider or device manufacturer.

In a Thursday blog post, Tod Beardsley, an engineering manager at Rapid7 and technical lead for the Metasploit Framework, revealed that a recently released Metasploit module exploiting the bug may serve as a means of spurring much needed patches for the threat.

In the post, Beardsley noted that around 70 percent of Android devices are likely impacted by the WebView flaw.

“I'm hopeful that by publishing an E-Z-2-Use Metasploit module that exploits it, we can maybe push some vendors toward ensuring that single-click vulnerabilities like this don't last for 93 [plus] weeks in the wild,” Beardsley wrote.

After some research, he also found that a number of newly purchased phones were vulnerable to the threat.

“In a completely unsurprising twist, I did a quick survey of the phones available today on the no-contract rack at a couple big-box stores, and every one that I saw [was] vulnerable out of the box,” Beardsley said. “And yes, that's here in the U.S., not some far-away place like Moscow, Russia.”

In a Wednesday follow up interview with SCMagazine.com, Beardsley further emphasized the responsibility that service providers and manufacturers have in patching the critical vulnerability.

“While Google is the one source of truth for Android, device manufacturers and service providers have to vet the patches,” Beardsley said. “They need to get their act together to push out to users' updates to the Android operating systems.”

The research community and security advocates have repeatedly called out service providers and OEMs [original equipment manufacturers] for being too sluggish in pushing fixes to customers.

Last April, the American Civil Liberties Union (ACLU) went as far as to file a complaint with the Federal Trade Commission (FTC) over the practice. In the complaint, ACLU accused major wireless providers, like AT&T, Verizon and Sprint, of failing to provide timely patches for users, despite developers, like Google, regularly fixings bugs affecting its software.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.