Slashdot Mirror

← Back to Stories (view on slashdot.org)

Drive-by Android Malware Exploits Unpatchable Vulnerability

Posted by timothy on from the bad-people-are-out-there dept.

An anonymous reader writes "Attackers have crafted the E-Z-2-Use malware code that exploits a 14-month-old vulnerability in Android devices. The vulnerability exists in the WebView interface a malicious website can utilize it to gain a remote shell into the system with the permissions of the hijacked application. Vulnerable devices are any device that is running a version earlier than 4.2 (in which the vulnerability was patched) which is a staggeringly large amount of the market. The vulnerability is in Android itself rather than the proprietary GMS application platform that sits atop the base operating system so it is not easily patched by Google."

5 of 120 comments (clear)

  1. Cognitive dissonance by Dachannien · · Score: 4, Informative

    Vulnerable devices are any device that is running a version earlier than 4.2 (in which the vulnerability was patched) which is a staggeringly large amount of the market.

    The vulnerability is in Android itself rather than the proprietary GMS application platform that sits atop the base operating system so it is not easily patched by Google.

    But apparently not so difficult as to make it impossible? Is there something I don't understand here, or was this summary just horribly written?

  2. Re:Everything old is new again by cheesybagel · · Score: 4, Informative

    Impossible of course.

  3. Re:errr that's Unpatched not Unpatchable by Nemyst · · Score: 4, Informative

    With 4.4 a lot of low-end phones could technically be supported when they couldn't run 4.3. The largest hurdles are carriers and manufacturers dropping support after an obscenely short time.

  4. Re:If I understand TFA by noh8rz10 · · Score: 5, Informative

    the attacker can gain the same access that the Android built in web browser has That doesn't sound that bad on the face of it

    FTFA:

    The code exploits a critical bug in Android's WebView programming interface that was disclosed 14 months ago. The security hole typically gives attackers remote access to a phone's camera and file system and in some cases also exposes other resources, such as geographic location data, SD card contents, and address books.

    The easiest way to exploit the bug is to lure a vulnerable user to a booby-trapped webpage. Within seconds, the site operator will obtain a remote shell window that has access to the phone's file system and camera. In some cases, the exploit can also be triggered by performing a man-in-the-middle attack while the victim is on an unsecured Wi-Fi network.

    I would say this is a big deal.

  5. Re:errr that's Unpatched not Unpatchable by pepty · · Score: 5, Informative

    Chrome. Or firefox. Or Opera ... So long as you skip the Android browser (and Webview) the exploit can be avoided.