Android apps including those in Google Play Store vulnerable to MitM remote code execution exploit

Friday, September 27, 2013
By OP Editor

Now that’s openness. Attackers can execute malicious code on Android devices by injecting JavaScript, exploitable on all devices and versions of Android.

Arstechnica, Attackers can slip malicious code into many Android apps via open Wi-Fi:

“Many apps available on the official Google Play market don’t properly secure the connection between the WebView component on a phone and the Web content being downloaded, researchers from UK-based MWR Labs recently warned. That makes it possible for attackers who are on the same open Wi-Fi network as a vulnerable user to hijack the connection and inject malicious code that can be executed by the phone.”

Security researchers from MWR Labs published this Android security vulnerability:

“Many free apps use a WebView to load HTML content as an in-process web browser and the advertising network SDK uses the browser instance to facilitate advertisement loading from remote advertiser networks. These advertisements are loaded over a clear text channel (HTTP) and are susceptible to Man in the Middle (MitM) attacks. An attacker able to MitM the communications with the advertising network can inject arbitrary JavaScript into the WebView. […]

Depending on the device that was exploited this could extend to obtaining root privileges, retrieving other sensitive user data from the device or causing the user monetary loss.”

MWR Labs notes that the issue is exploitable on all devices and versions of Android:

“If the linked SDK has been built for an API lower than 17, the vulnerability exists – even if the application using the SDK has been built for API 17 or above.”

Google Play Android apps vulnerable

So they looked into the top Android apps. As of July 30, 2013 out of top one hundred Android apps 21 (such as Netflix) don’t use webview ads, 79 has ads. Of the 79 apps with ads, 62 are using the WebViews that are potentially vulnerable. The researchers found most of the other apps from Google Play Store can be used to hack Android devices.

All Android versions vulnerable, including 4.2

Android 4.2 and above contains an option to fix the problem. However, as September 2013, only 8.5% of Android devices that access Google Play Store are using 4.2.x. That means over 91.5% of Android device are definitely vulnerable (that’s not counting all those cheap Android devices that don’t access the Android market).

In addition, the Android 4.2 security fix “requires the developer to take explicit action to do so.” Thus, most of the top apps don’t include the fix, even if the device is one of 8.5% that runs Android 4.2.

Android remote malicious code execution vulnerability

What an open wasteland.

Vulnerable Android apps include legitimate banking apps. Any Android apps with permission to send SMS can be hijacked by attacker. Since most Android phones don’t receive any OS or security updates, this problem will be easy for malware makers to exploit.


Related Posts

  1. Malware Android apps from Google Play infects Windows PCs: #thenextbigthing
  2. EFF: Google Android Play Store ad blocker censorship
  3. Cydia “PDF Loading Warner” Helps Prevent iOS Security Hole Exploit
  4. Android Not Open, iPhone Jailbreaker Reveals
  5. App Store / iOS Code Signing Security Flaw [Video]

Tags: Android, Fail, Security

Site Search

iPad Air 2 Case

Popular Tags