Android stock browser vulnerable to URL spoofing

It's recommended that users install Chrome or another browser

Android browser bug allows attackers to spoof the URLs displayed in the address bar

Android browser bug allows attackers to spoof the URLs displayed in the address bar

A vulnerability in Android's default Web browser lets attackers spoof the URL shown in the address bar, allowing for more credible phishing attacks.

Google released patches for the flaw in April, but many phones are likely still affected, because manufacturers and carriers typically are slow to develop and distribute Android patches.

The vulnerability was discovered by a researcher named Rafay Baloch and was privately reported to Google with the help of security firm Rapid7.

Baloch discovered the flaw on Android 5.0 Lollipop, which uses Chrome as its default browser, but then also confirmed it in the stock browser in older Android versions.

The issue stems from the browser's improper handling of error 204 "No Content" when returned by servers. The researcher created a proof-of-concept exploit that redirects the browser to a non-existent resource on www.google.com, but then loads a spoofed Google Account login page.

The browser patch for Chrome was distributed to Android Lollipop users through Google Play, but the fix for Android 4.4 (KitKat) will require an OS update whose availability will depend on device manufacturers and carriers, said Tod Beardsley, security research manager at Rapid7, via email.

According to Google's official statistics, almost 40 percent of Android devices that access Google Play are running Android 4.4 and only 10 percent run Android 5.x.

Android 4.4 users who haven't received an OS update recently should avoid using the stock browser to access sites that require authentication, Rapid7 said in an advisory. Chrome or other browsers that are updated through Google Play can be good alternatives.

Users who run Android versions older than 4.4 should stop using the Android stock browser, also known as the AOSP browser, anyway because Google will no longer release security patches for it.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags mobile securityGooglescamspatchesExploits / vulnerabilitiesRapid7

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Lucian Constantin

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Bang and Olufsen Beosound Stage - Dolby Atmos Soundbar

Learn more >

Toys for Boys

ASUS ROG, ACRONYM partner for Special Edition Zephyrus G14

Learn more >

Nakamichi Delta 100 3-Way Hi Fi Speaker System

Learn more >

Sony WF-1000XM3 Wireless Noise Cancelling Headphones

Learn more >

Family Friendly

Philips Sonicare Diamond Clean 9000 Toothbrush

Learn more >

Mario Kart Live: Home Circuit for Nintendo Switch

Learn more >

Stocking Stuffer

Teac 7 inch Swivel Screen Portable DVD Player

Learn more >

SunnyBunny Snowflakes 20 LED Solar Powered Fairy String

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?