October 27th, 2008

Google Android vulnerable to drive-by browser exploit

Posted by Ryan Naraine @ 10:38 am

Categories: Apple, Arbitrary Code Execution, Browsers, Data theft, Denial of Service (DoS), Exploit code, Google, Hackers, Malware, Mobile (In)Security, Open source, Patch Watch, Pen testing, Responsible disclosure, Vulnerability research, iPhone

Tags: Google Inc., Google Android, Web Browser, Google Android OS, Web Browsers, Security, Internet, Ryan Naraine

The Google Android operating system is vulnerable to a serious security vulnerability that allows malicious hackers to launch drive-by browser attacks, according to alert from a security research outfit.

Technical details of the vulnerability, which occurs because Google Android uses an unpatched open-source software package, is being kept under wraps until a patch is available.

[ SEE: Android security team appeals to hackers ]

Google was notified of this issue on October 20th, 2008.

According to a warning from Independent Security Evaluators (the company that found the first iPhone code execution flaw), this particular security vulnerability “was known and fixed in the relevant software package,” but Google used an older, still vulnerable version.

The Google Android OS powers the T-Mobile G1 by HTC, a device that’s currently in stores in the United States.

[ SEE: Research firm: Google Android SDK has multiple vulnerabilities ]

• A user of an Android phone who uses the web browser to surf the internet may be exploited if they visit a malicious page. Upon visiting the malicious site, the attacker can run any code they wish with the privileges of the web browser application. We have a very reliable exploit for this issue for demonstration purposes.

The researchers, however, acknowledged that the impact of this attack is “somewhat limited” because of the way Google Android is designed.

• A successful attacker will have access to any information the browser may use, such as cookies used for accessing sites, information put into web application form fields, saved passwords, etc. They may also change the way the browser works, tricking the user into entering sensitive information. However, they can not control other, unrelated aspects of the phone, such as dialing the phone directly.