Android vulnerability still a threat to many devices nearly two years later

Many apps that use the Android addJavascriptInterface API are still vulnerable to JavaScript code injection, researchers from Bromium said

Security researchers have recently found a vulnerability that could be used to hijack Android apps and devices, but an older issue that can have the same effect remains a significant threat nearly two years after its discovery, according to security firm Bromium.

The issue was reported in December 2012 and concerns an Android API (application programming interface) called addJavascriptInterface that allows applications to expose their native code to Web code running inside a WebView, an instance of Android's Web browser engine.

A large number of applications and advertising frameworks embedded into applications use WebView to display Web content loaded from remote servers -- for example, ads. The problem is that many of these apps don't load the WebView content over an encrypted HTTPS (HTTP Secure) connection.

This lack of data transport encryption allows attackers who intercept connections coming from such an app to inject rogue JavaScript code into its traffic. This is known as a man-in-the-middle attack and there are several methods to pull it off, especially on wireless networks.

If an app doesn't encrypt its traffic, uses WebView and also uses addJavascriptInterface, an attacker can inject JavaScript code to gain access to the app's functionality and abuse its permissions on the system. Researchers have also shown that it's possible for attackers to exploit this weakness in order to open a reverse TCP shell back to a server under their control in order to execute commands on the underlying device.

Furthermore, an attacker could combine this remote code execution attack through addJavascriptInterface with one of several privilege escalation vulnerabilities that affect various Android versions in order to run commands as root and essentially gain full control over the device.

"The futex vulnerability for instance (CVE-2014-3153) affects every Linux kernel version currently used by Android and was recently used to successfully root the Galaxy S5 for the first time," the Bromium security researchers said in a blog post Thursday.

Google implemented a fix for the addJavascriptInterface attack in Android API level 17, which corresponds to Android 4.2, released in November 2012. However, many applications and devices remain vulnerable.

"In order to be compatible with the widest number of devices, apps and ad frameworks are often built against the lowest possible API version," the Bromium researchers said. "The upshot is that an app can be vulnerable even when running on a fully patched Android device running 4.2, 4.3 or 4.4."

The researchers downloaded a random 102,189 free apps from the Google Play store in May and tested them. They found that 13,119 of them, or 12.8 percent, were potentially vulnerable because they were using addJavascriptInterface.

A subset of those were then installed and tested on a Nexus 5 running Android 4.4.3 and a Samsung XE700t tablet running Android Open Source Project firmware version 4.2. The devices were connected to a rogue wireless access point that the researchers controlled.

"Merely by launching each app and interacting briefly with it, we successfully triggered remote code execution in over half of them" as they loaded the malicious JavaScript code injected by a man-in-the-middle Web proxy running on the access point, the researchers said.

Around 13 percent of apps being potentially vulnerable, but not necessarily exploitable, doesn't sound like much. However, not all apps are equal -- some are more popular than others.

"From only the small sample we manually confirmed were vulnerable, there are over 150 million downloads," the Bromium researchers said. "This doesn't necessarily mean there are guaranteed 150,000,000 vulnerable devices out there, because one device could have multiple different vulnerable apps installed. But given the proportions we've found in our analysis -- 10% of sampled apps potentially vulnerable, 50% of the potentially vulnerable apps we tested actually were exploitable -- that is a likely to be a lot of devices."

It's also worth pointing out that, according to Google's latest statistics from Google Play, over half of Android devices are running Android versions older than 4.2.

The Bromium researchers went even further and cross-referenced the list of potentially vulnerable apps with data from the Device Analyzer project at the University of Cambridge that collects information about app usage from 19,606 real-world devices.

"For the last year or so, the Device Analyser data shows that their users on average opened 0.4-0.5 potentially vulnerable apps per day," the Bromium researchers said. "Or in simpler terms, their average user is vulnerable a couple of times a week."

The Bromium analysis highlights that some Android vulnerabilities can linger on for a long time, despite patches being available. That's primarily because of the fragmentation that exists in the Android ecosystem and the many parties that have to take action when security issues arise, such as Android developers, device manufacturers, carriers, app developers and advertising networks.

The addJavascriptInterface vulnerability in particular can also pose a risk to corporate wireless networks, especially since malware can exploit it to infect other devices on the network.

"One compromised device can become the man-in-the-middle on whatever networks it subsequently joins, thus spreading the attack to, for example, the corporate wifi network so popular in the bring-your-own-device world," the Bromium researchers said.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags Googlesecuritymobile securityBromiumExploits / vulnerabilitiesmalware

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?