Slashdot Mirror

← Back to Stories (view on slashdot.org)

Drive-by Android Malware Exploits Unpatchable Vulnerability

Posted by timothy on from the bad-people-are-out-there dept.

An anonymous reader writes "Attackers have crafted the E-Z-2-Use malware code that exploits a 14-month-old vulnerability in Android devices. The vulnerability exists in the WebView interface a malicious website can utilize it to gain a remote shell into the system with the permissions of the hijacked application. Vulnerable devices are any device that is running a version earlier than 4.2 (in which the vulnerability was patched) which is a staggeringly large amount of the market. The vulnerability is in Android itself rather than the proprietary GMS application platform that sits atop the base operating system so it is not easily patched by Google."

11 of 120 comments (clear)

  1. errr that's Unpatched not Unpatchable by Anonymous Coward · · Score: 3, Informative

    it was fixed in v 4.2 so it is patchable
    QED

  2. Cognitive dissonance by Dachannien · · Score: 4, Informative

    Vulnerable devices are any device that is running a version earlier than 4.2 (in which the vulnerability was patched) which is a staggeringly large amount of the market.

    The vulnerability is in Android itself rather than the proprietary GMS application platform that sits atop the base operating system so it is not easily patched by Google.

    But apparently not so difficult as to make it impossible? Is there something I don't understand here, or was this summary just horribly written?

  3. Everything old is new again by mt1955 · · Score: 3, Informative

    Android feels like it is steadily becoming the new Windows.

    -- It's showing up everywhere.

    -- The version issues hark back to the days of "DLL hell"

    -- This drum beat of exploits has a familiar rhythm too.

    -- As a multi-platform developer I find I'm always having to reboot my device, and the IDE just to get a clean test run.

    Call me a fan boy but iOS is a much better world to work and play in

    1. Re:Everything old is new again by cheesybagel · · Score: 4, Informative

      Impossible of course.

  4. Tried Cyanogenmod for this very reason by sparkyradar · · Score: 3, Informative

    My HTC One X has been abandoned last year at 4.1.2, with still more 2yrs left on the contract :-O :-( While that sucks, I did move to Cyanogenmod, through a few different flavours. I'm running CM11 Milestone 2, but I think I can safely predict what will and will not work for anyone who goes this route (because these issues have persisted through several releases in Cyanogenmod):

    1) you will have Bluetooth for audio, but not for keyboards, game-controllers (no HID stuff)
    2) you will not have IPv6. Not a big deal for most people, but this is News for Nerds :-)
    3) returning to a previous WiFi location may require toggling Airplane Mode to get it to reconnect

    But for a non-technical person like my wife, using CM11 / KitKat 4.4.2 truly *IS* a viable answer (hahaha - using. Getting to CM11 is most definitely not for her... that's my thing). For the future, Nexus devices or Play devices are likeliest.

  5. If I understand TFA by Lawrence_Bird · · Score: 1, Informative

    the attacker can gain the same access that the Android built in web browser has That doesn't sound that bad on the face of it and you can avoid entirely by using a different browser. It may not get you 100% security from the exploit but should get you pretty near.

    1. Re:If I understand TFA by noh8rz10 · · Score: 5, Informative

      the attacker can gain the same access that the Android built in web browser has That doesn't sound that bad on the face of it

      FTFA:

      The code exploits a critical bug in Android's WebView programming interface that was disclosed 14 months ago. The security hole typically gives attackers remote access to a phone's camera and file system and in some cases also exposes other resources, such as geographic location data, SD card contents, and address books.

      The easiest way to exploit the bug is to lure a vulnerable user to a booby-trapped webpage. Within seconds, the site operator will obtain a remote shell window that has access to the phone's file system and camera. In some cases, the exploit can also be triggered by performing a man-in-the-middle attack while the victim is on an unsecured Wi-Fi network.

      I would say this is a big deal.

  6. Re:errr that's Unpatched not Unpatchable by Nemyst · · Score: 4, Informative

    With 4.4 a lot of low-end phones could technically be supported when they couldn't run 4.3. The largest hurdles are carriers and manufacturers dropping support after an obscenely short time.

  7. err not 4.2 by nazsco · · Score: 2, Informative

    The still most widely deployed version, 2.3, is fine. At least if you don't run apps with ads, but then, there's no hope left for you anyway.

    Nobody mentions which version introduced the bug in the browser, but I'm guessing it's 3.1. But i know very little.

  8. Re:errr that's Unpatched not Unpatchable by pepty · · Score: 5, Informative

    Chrome. Or firefox. Or Opera ... So long as you skip the Android browser (and Webview) the exploit can be avoided.

  9. Re:errr that's Unpatched not Unpatchable by GNious · · Score: 3, Informative

    There is an unofficial Cyanogenmod version for my phone - the instructions for installing it is incomplete, and refers to multiple articles that basically lead in circles.