Android WebView exploit published, most devices vulnerable to old bug

Share this article:
Android WebView exploit published, most devices vulnerable to old bug
Android WebView exploit published, most devices vulnerable to old bug

Researchers warn that the majority of Android devices are vulnerable to a WebView exploit that leverages a nearly two-year-old vulnerability in the mobile platform.

The bug, a privilege escalation vulnerability in Android's WebView programming interface, impacts Android platforms older than version 4.2 and could give an attacker remote access to users' cameras, file systems, call logs, text messages, contacts and other device data.

Although Google provided a fix for the vulnerability back in November, researchers are concerned about the number of users who have yet to receive an update from their service provider or device manufacturer.

In a Thursday blog post, Tod Beardsley, an engineering manager at Rapid7 and technical lead for the Metasploit Framework, revealed that a recently released Metasploit module exploiting the bug may serve as a means of spurring much needed patches for the threat.

In the post, Beardsley noted that around 70 percent of Android devices are likely impacted by the WebView flaw.

“I'm hopeful that by publishing an E-Z-2-Use Metasploit module that exploits it, we can maybe push some vendors toward ensuring that single-click vulnerabilities like this don't last for 93 [plus] weeks in the wild,” Beardsley wrote.

After some research, he also found that a number of newly purchased phones were vulnerable to the threat.

“In a completely unsurprising twist, I did a quick survey of the phones available today on the no-contract rack at a couple big-box stores, and every one that I saw [was] vulnerable out of the box,” Beardsley said. “And yes, that's here in the U.S., not some far-away place like Moscow, Russia.”

In a Wednesday follow up interview with SCMagazine.com, Beardsley further emphasized the responsibility that service providers and manufacturers have in patching the critical vulnerability.

“While Google is the one source of truth for Android, device manufacturers and service providers have to vet the patches,” Beardsley said. “They need to get their act together to push out to users' updates to the Android operating systems.”

The research community and security advocates have repeatedly called out service providers and OEMs [original equipment manufacturers] for being too sluggish in pushing fixes to customers.

Last April, the American Civil Liberties Union (ACLU) went as far as to file a complaint with the Federal Trade Commission (FTC) over the practice. In the complaint, ACLU accused major wireless providers, like AT&T, Verizon and Sprint, of failing to provide timely patches for users, despite developers, like Google, regularly fixings bugs affecting its software.

Share this article:

Sign up to our newsletters

More in News

DDoS attacks remain up, stronger in Q2, report says

DDoS attacks remain up, stronger in Q2, report ...

Prolexic's second quarter DDoS report noted the proliferation of shorter attacks that ate up more bandwidth.

Superman soars above fellow superheroes as most toxic search term

A McAfee study found that searches pertaining to Superman exposed users to the most infected websites.

Black Hat talk on Tor weaknesses canceled

Black Hat organizers say legal counsel for the Software Engineering Institute and Carnegie Mellon University nixed the session.