Rapid7’s security researcher discovers an Android browser exploit
Rapid7’s security researcher discovers an Android browser exploit and a way to take over roughly 70 percent of Android devices via a Web page or app
This Android browser exploit looks pretty amazing for two reasons:
1) It highlights the bigger issue of the challenge of updating Android devices (I mean the bug was patched from at least July last year, and yet 70% of Android devices are still vulnerable to it) – users in many case can’t update their OS, and even if they do, they also need to update their apps, and then there’s the additional software their carrier or device manufacturer forces them to have. It’s kind of a mess, and I personally think Google is basically standing in the spot MSFT was before it built the Trusted Computing team and started Patch Tuesday – it needs to figure out how it’s going to tackle this whole updating thing across the ecosystem, and it needs to do it fast. You already know I have this big concern that this situation is only going to get worse as we see more Internet of Things devices standardizing on Android.
2) A researcher call jduck (Joshua Drake) just used the exploit on his GoogleGlass and it worked: https://twitter.com/jduck/status/431662744656293888
Here’s the background info:
* What is it?
It’s a Metasploit exploit for remote code execution for Android Browser.
* How bad is it?
Very. It basically gives the attacker the keys to your mobile device, it affects a high proportion of Android users (details below), and it’s complex to properly protect yourself.
* Who does it affect?
Anyone using any Android version before 4.2.1, which is apparently about 70% of Android devices. Here are some sources for that number:
In fact, lots of phones are still being sold to consumers with Android 4.0 and below (eg. http://wireless.walmart.com/content/android/), and Android is notoriously hard to update on some vendors (more on that below).
Users on Android 4.2.1 and later still need to be cautious of out-of-date apps.
* How does it work?
* What does it do?
Essentially you can control the device remotely. Depending on the permissions granted to the exploited application, potentially you can:
– read SD card contents
– read GPS info
– steal address book
– access camera/mic
* How can people protect themselves?
The straightforward answer is to update your Android OS to the last version; however, this actually isn’t straightforward in practice at all due to the complexity of the ecosystem – OS updates are often controlled by the carrier and are different for each device type, so this is a huge challenge. Many phone vendors lock you into an OS version and you actually can’t update without their permission. Also, most vendors bundle their own software which you cannot update or remove. In some cases, protecting against this will mean voiding your warrantee.
My initial thought was that maybe you could avoid using the browser, but many apps use WebView under the covers. One tested example is the Baidu app which was built with the old libraries, fresh installed on an Android 4.4.2 device. This is vulnerable – tested and proven by Metasploit contributor, Tim Wright. So basically users need to update all their apps as well, and unfortunately, there’s no way to tell if your apps are vulnerable or not.
Who created the exploit and who should you talk to for more info?
Joe Vennix (https://twitter.com/joevennix ) – a member of the Metasploit team. He’s brilliant. Questions by email please – this is his first media interaction and he’s a little shy.