Slashdot Mirror

← Back to Stories (view on slashdot.org)

Drive-by Android Malware Exploits Unpatchable Vulnerability

Posted by timothy on from the bad-people-are-out-there dept.

An anonymous reader writes "Attackers have crafted the E-Z-2-Use malware code that exploits a 14-month-old vulnerability in Android devices. The vulnerability exists in the WebView interface a malicious website can utilize it to gain a remote shell into the system with the permissions of the hijacked application. Vulnerable devices are any device that is running a version earlier than 4.2 (in which the vulnerability was patched) which is a staggeringly large amount of the market. The vulnerability is in Android itself rather than the proprietary GMS application platform that sits atop the base operating system so it is not easily patched by Google."

4 of 120 comments (clear)

  1. Fragmentation not an issue eh? by Anonymous Coward · · Score: 5, Interesting

    Some carriers still sell android 2.x devices. If you don't buy a mainstream/high end device your phone will likely never see a patch, ever.

    Not saying my iphone is invulnerable, but my almost 4 year old iphone4 still gets patches. So does my 5s, and I expect it will 3-4 years from now.

    And no, normal users can't and don't install Cyanogen. Sorry.

  2. Re:errr that's Unpatched not Unpatchable by Penguinisto · · Score: 5, Interesting

    it was fixed in v 4.2 so it is patchable
    QED

    Not exactly QED: Most Android phones are unpatchable due to the carrier not giving a damn (for various reasons), the phone hardware being too old (or too low-end), and/or the manufactuer not giving a damn (they'd prefer you buy a new phone from them instead). There are of course jailbreaks, if your carrier doesn't cut you off for using it, and if there's one that works on your phone, and if you have the technical 'oomph to install it without bricking the thing.

    To put it bluntly? Unless you paid at least $300 for your Android smartphone and it's less than 3 years old (if you're lucky), you're pretty much screwed.

    (Before anyone gets butthurt about it, no, I don't own an iPhone. I have a cheap Android device, but as I bought it recently, it has 4.2 on it.)

    --
    Quo usque tandem abutere, Nimbus, patientia nostra?
  3. Re:If I understand TFA by noh8rz10 · · Score: 5, Informative

    the attacker can gain the same access that the Android built in web browser has That doesn't sound that bad on the face of it

    FTFA:

    The code exploits a critical bug in Android's WebView programming interface that was disclosed 14 months ago. The security hole typically gives attackers remote access to a phone's camera and file system and in some cases also exposes other resources, such as geographic location data, SD card contents, and address books.

    The easiest way to exploit the bug is to lure a vulnerable user to a booby-trapped webpage. Within seconds, the site operator will obtain a remote shell window that has access to the phone's file system and camera. In some cases, the exploit can also be triggered by performing a man-in-the-middle attack while the victim is on an unsecured Wi-Fi network.

    I would say this is a big deal.

  4. Re:errr that's Unpatched not Unpatchable by pepty · · Score: 5, Informative

    Chrome. Or firefox. Or Opera ... So long as you skip the Android browser (and Webview) the exploit can be avoided.