Android apps including those in Google Play Store vulnerable to MitM remote code execution exploit
Arstechnica, Attackers can slip malicious code into many Android apps via open Wi-Fi:
“Many apps available on the official Google Play market don’t properly secure the connection between the WebView component on a phone and the Web content being downloaded, researchers from UK-based MWR Labs recently warned. That makes it possible for attackers who are on the same open Wi-Fi network as a vulnerable user to hijack the connection and inject malicious code that can be executed by the phone.”
Security researchers from MWR Labs published this Android security vulnerability:
Depending on the device that was exploited this could extend to obtaining root privileges, retrieving other sensitive user data from the device or causing the user monetary loss.”
MWR Labs notes that the issue is exploitable on all devices and versions of Android:
“If the linked SDK has been built for an API lower than 17, the vulnerability exists – even if the application using the SDK has been built for API 17 or above.”
Google Play Android apps vulnerable
So they looked into the top Android apps. As of July 30, 2013 out of top one hundred Android apps 21 (such as Netflix) don’t use webview ads, 79 has ads. Of the 79 apps with ads, 62 are using the WebViews that are potentially vulnerable. The researchers found most of the other apps from Google Play Store can be used to hack Android devices.
All Android versions vulnerable, including 4.2
Android 4.2 and above contains an option to fix the problem. However, as September 2013, only 8.5% of Android devices that access Google Play Store are using 4.2.x. That means over 91.5% of Android device are definitely vulnerable (that’s not counting all those cheap Android devices that don’t access the Android market).
In addition, the Android 4.2 security fix “requires the developer to take explicit action to do so.” Thus, most of the top apps don’t include the fix, even if the device is one of 8.5% that runs Android 4.2.
What an open wasteland.
Vulnerable Android apps include legitimate banking apps. Any Android apps with permission to send SMS can be hijacked by attacker. Since most Android phones don’t receive any OS or security updates, this problem will be easy for malware makers to exploit.