Consider Android device vulnerabilities
Many mobile users fail to consider the potential for remote browser exploits, warns Joe Vennix
I recently discovered a remote browser exploit and a way to take over roughly 70 per cent of Android devices via a web page or app.
Our team developed a new Metasploit exploit for remote code execution for the Android browser based on an old vulnerability that Google patched last July.
Essentially, this exploit gives any attacker access to Android devices – a worrying factor as it is too difficult for users to properly protect themselves.
Depending on the permissions granted to an exploited app, an attacker could read the SD card, read GPS information, steal user address books, and access built-in cameras and microphones.
Any device running Android version 4.2.1 or earlier is vulnerable – about 70 per cent of all Android devices, according to Google analyses.
In fact, many phones are still sold with Android 4.0 or earlier. On top of that, Android can be notoriously difficult to update on devices from some manufacturers.
The Android browser WebView vulnerability was publicised way back in December 2012, and Google released a new version of the OS, including a fix, in February 2013, but many users may still be handling an exploited device.
And in the case of the WebView vulnerability, it may have been used by attackers long before the wider public were made aware of it.
Multiple vulnerabilities can be added in phones produced by different manufacturers, resulting in local exploits, so a determined attacker could focus his or her attack to eventually get root accessibility to all data and hardware.
Devices on Android OSes earlier than 4.2.1 are likely to remain vulnerable until the software is updated, which is unlikely to happen due to the role handset manufacturers, carriers and vendors will play in the update chain.
Users need to update their Android OS to the last version, which is a problem as OS updates are often controlled by the carrier and different for each device type. Many phone vendors lock users into an OS version and updates are granted only with their permission. Also, most vendors bundle their own software, which cannot be updated or removed.
There is no way to tell whether an app is vulnerable or not, so the best protection is to update all apps whenever updates are available.
So it's unnerving to see how few users are able to update their Android devices and, as this is a fairly easy and effective exploit, it is low-hanging fruit for an attacker.
Google has shifted some functions of Android into separate apps such as YouTube, Gmail and Google Search, which can be updated by users through the company's Play app store. In the most recent OS versions, the built-in browser code is hidden, with users pushed instead towards a mobile version of Google's Chrome desktop browser.
This does not affect the core of the Android software, however, and it does not fix the bug used by this exploit. Devices bought from companies other than Google cannot be considered secure.
Even if users update their OS, they may not update their apps or any additional software from their carrier or device manufacturer. This situation will only worsen as Android is adopted by still more devices and the Internet of Things becomes a reality.
In many ways, Google is standing in the place Microsoft was in before it built its Trusted Computing team and launched Patch Tuesday. Google urgently needs to tackle updates across the Android ecosystem.
For now, the best option is to buy Google Nexus or Google Play edition devices, which are updated more quickly with the latest Android releases.
Joe Vennix is a security researcher at Rapid7