Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Vulnerability Management, Incident Response, TDR, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Android WebView exploit published, most devices vulnerable to old bug

Researchers warn that the majority of Android devices are vulnerable to a WebView exploit that leverages a nearly two-year-old vulnerability in the mobile platform.

The bug, a privilege escalation vulnerability in Android's WebView programming interface, impacts Android platforms older than version 4.2 and could give an attacker remote access to users' cameras, file systems, call logs, text messages, contacts and other device data.

Although Google provided a fix for the vulnerability back in November, researchers are concerned about the number of users who have yet to receive an update from their service provider or device manufacturer.

In a Thursday blog post, Tod Beardsley, an engineering manager at Rapid7 and technical lead for the Metasploit Framework, revealed that a recently released Metasploit module exploiting the bug may serve as a means of spurring much needed patches for the threat.

In the post, Beardsley noted that around 70 percent of Android devices are likely impacted by the WebView flaw.

“I'm hopeful that by publishing an E-Z-2-Use Metasploit module that exploits it, we can maybe push some vendors toward ensuring that single-click vulnerabilities like this don't last for 93 [plus] weeks in the wild,” Beardsley wrote.

After some research, he also found that a number of newly purchased phones were vulnerable to the threat.

“In a completely unsurprising twist, I did a quick survey of the phones available today on the no-contract rack at a couple big-box stores, and every one that I saw [was] vulnerable out of the box,” Beardsley said. “And yes, that's here in the U.S., not some far-away place like Moscow, Russia.”

In a Wednesday follow up interview with SCMagazine.com, Beardsley further emphasized the responsibility that service providers and manufacturers have in patching the critical vulnerability.

“While Google is the one source of truth for Android, device manufacturers and service providers have to vet the patches,” Beardsley said. “They need to get their act together to push out to users' updates to the Android operating systems.”

The research community and security advocates have repeatedly called out service providers and OEMs [original equipment manufacturers] for being too sluggish in pushing fixes to customers.

Last April, the American Civil Liberties Union (ACLU) went as far as to file a complaint with the Federal Trade Commission (FTC) over the practice. In the complaint, ACLU accused major wireless providers, like AT&T, Verizon and Sprint, of failing to provide timely patches for users, despite developers, like Google, regularly fixings bugs affecting its software.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.