A billion of Android users are exposed to a high risk vulnerability

Since our research team published an Android remote code execution vulnerability in last September: Alert: Android WebView addJavascriptInterface Code execution Vulnerability. We assume that this should be patched by most of mobile developers, but our recently review shows that the risk is much higher than what we we can imagine. Billions of users are affected by this high risk vulnerability.

As we reported before, this vulnerability that allows attackers to execute arbitrary Java code by using Javascript embedded in web page. Due to the permissions the vulnerable app has applied, attackers can send SMS in background, make your phone into interception device, and also it can make phone calls or even install packages(on rooted phones).

BTW, Google has released a patch for android 4.2, but this doesn’t completely solve the problem – for those using Android lower than 4.2 (actually, 75% of the Android users), thousands mobile applications that still have this vulnerability makes them vulnerable targets. Those vulnerable apps can be divided into 3 groups.

Class A: The vulnerable Webview loads a remote URL, controllable by user.

This is the most dangerous situation. A controllable URL is a perfect attack surface for this vulnerability. For instance, a social app that allows users to share URLs, which will be later displayed in a Webview when his/her friends clicked the link. That means a malicious user can share a URL that contains exploit code. And all the viewers would be compromised.

Class B: The vulnerable Webview loads a remote URL, uncontrollable

Not as easily exploited as Class A, but still exploitable when attackers gain control of the network. For example, when attackers gain control of a wifi-spot or DNS server, they can insert a piece of JavaScript in all HTTP traffics. And every app user under that wifi/DNS would be compromised.

Class C: The vulnerable Webview loads a local resource file.

Unlikely to be exploited directly, as the attacker must gain control of the local file system. Might be exploited when combined with other vulnerabilities.

According to our scanning using Trustlook platform, hundreds of Play Store apps(all latest version), include some well-known apps with more than 10 millions installations, has been found vulnerable as Class A and B – and the number is still growing as our scanning still going on. The total number of affected users has exceeded a billion.

You may want to ask, why a vulnerability is still mostly exploitable even Google has already patched it 2 years ago in 4.2?

First, due to the nature of Android, the versions are highly fragmented in the market space – smartphones and tablets coming from various vendors, using different 3rd party ROMs. So unlike Windows or iOS, there is a big latency to push an update to all end-users. As of Jan 2014, only 24.6% users have updated to Android 4.2 or newer version (official data: http://developer.android.com/about/dashboards/index.html ).

Second, most of the Android developers are still lack of awareness on security vulnerabilities.

Screen Shot 2014-01-20 at 3.36.18 PM

In the past months, we have spent a lot of time contact with every company and mobile developers to fix their vulnerability. Considering the large number of them, we only help small portion of them fixed. As time going on we wish we could help more vendors.


Screenshot 2014-01-22 11.08.59

Last, as a research result, we have integrated the detection ability into our Antivirus application which help the mobile developer to scan and check their applications.  If you are not sure about your application is vulnerable or not, please download and scan your device.  If you have more questions, please directly contact us at support@trustlook.com

6 thoughts on “A billion of Android users are exposed to a high risk vulnerability

  1. Pingback: Hackers can pwn your Android in 5 seconds when you use Bing App in Starbucks | trustlook news

  2. Pingback: Utilisez l'application Bing et faites vous pirater votre téléphone Android en quelques secondes « Korben Korben

  3. Pingback: Utilisez l’application Bing et faites vous pirater votre téléphone Android en quelques secondes « Mes idées HIGH TECH

  4. Pingback: Gilt Remote Code Execution Vulnerability | trustlook news

  5. Pingback: Multiple Games have been Marked as "Risky App" by Trustlook Antivirus | trustlook news

  6. Pingback: Popular utility tools are marked as risky by Trustlook | trustlook news

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s