A method to control 70 per cent of Android devices has been revealed.
According to Rapid7 security researcher Joe Vennix, a browser exploit can control Android devices via a Web page or app. He claimed that this “gives the attacker the keys to your mobile device” and affects anyone using any Android version before 4.2.1, which is apparently about 70 per cent of Android devices.
It works by exploiting a vulnerability which was publicly disclosed in December 2012. The initial attack vector was through Javascript injection into a WebView in a third-party app that required the attacker to already have a man-in-the-middle position on the target. However this new exploit allows this to be done remotely and allows an attacker to control the device remotely.
“Depending on the permissions granted to the exploited application, potentially you can: read SD card contents, read GPS info, steal address book and access camera/mic,” he said.
Vennix said that one of the problems is the difficulties in updating Android, as OS updates are often controlled by the carrier and are different for each device type. Even though the flaw was disclosed in December 2012 and was patched in July 2013, he said that this “highlights the bigger issue of the challenge of updating Android devices, as users in many cases can’t update their OS. Even if they do, they also need to update their apps, and then there’s the additional software their carrier or device manufacturer forces them to have.”
“It’s kind of a mess, and I personally think Google is basically standing in the spot MSFT was before it built the Trusted Computing team and started Patch Tuesday – it needs to figure out how it’s going to tackle this whole updating thing across the ecosystem; and it needs to do it fast. You already know I have this big concern that this situation is only going to get worse as we see more Internet of Things devices standardising on Android,” he said.
“This is vulnerable – tested and proven by Metasploit contributor, Tim Wright. So basically users need to update all their apps as well, and unfortunately, there’s no way to tell if your apps are vulnerable or not.”
According to the Hacker News, Google will be forced to provide the latest version of Android (version 4.4 KitKat) in new handsets under its new policy. In a leaked memo, Google said: “Starting February 2014, Google will no longer approve GMS distribution of new Android products that ship older platform releases. Each platform release will have a GMS approval window that typically closes nine months after the next Android platform release is publicly available.”