Researcher Releases Android Exploit In Webkit Browser Engine

Outsmart Malicious Hackers


And Android security hits the news once again, it’s not a vulnerability in the OS per-say but rather in the browser based on the Webkit engine. It does highlight the inherent fragmentation problems with the Android platform and the security concerns that come with running old OS and software versions.

It’s a problem that is plaguing Android right now with different phones running different core OS versions (from 1.5 to 2.2) – on top of that 3rd party skins for the OS from Samsung, Motorola and more. This makes updating the OS slow and many users are stuck with old versions and no news regarding updates.

A security researcher has released proof-of-concept code that exploits a vulnerability in most versions of Google’s Android operating system for smartphones.

M.J. Keith of Alert Logic said he released the attack code to expose what he characterized as inadequate patching practices for the open-source mobile platform. Rather than find the underlying bug himself, he searched through a list of documented security flaws for Apple’s Safari, which relies on the same Webkit browser engine used in Android. In short order, he had an attack that exploits about two-thirds of the handsets that rely on the OS.

“They need a better patching system,” Keith told The Register. “They do a good job of repairing future releases, but I think a better patching system needs to be set up for Android.”

The bug Keith’s code exploits was fixed in Android 2.2, but according to figures supplied by Google, only 36 percent of users have the most recent version. That means the remainder are susceptible to the attack.

Google has claimed that they are changing the architecture with the upcoming release of Gingerbread, many of the system apps will be pushed to the Marketplace – meaning they can push out updates much faster and easier than if everything is integrated in the OS image.

Of course core problems with the kernel or underlying OS will still have to be addressed via firmware updates, but still like this – which effects the browser – could be negated if a new browser version could be pushed out from the Android Marketplace.

The same goes for the recent Critical Zero Day Abobe Flash Flaw Which Put Android Phones At Risk.


What’s more, Keith said he had no trouble finding other documented Webkit vulnerabilities that have yet to be fixed in version 2.2.

“I found about four or five and I wasn’t trying to [do] an exhaustive search,” he said.

A Google spokesman declined to comment for this post. To be fair, Android’s design does a good job of segregating the functions of one application from those of another. That would make it hard for someone exploiting the bug Keith demonstrated to gain root privileges or access to many of the targeted handset’s resources. But it still would allow an attacker to access anything the browser can read, including a phone’s Secure Digital memory card.

The bigger point, Keith said, is that most users have no idea their devices are vulnerable to bugs that were patched long ago on other platforms.

“I wanted to demonstrate that nobody’s being notified that their Android phone is vulnerable to this stuff,” he explained. Google “wants to pretend it’s not there.”

It is a serious problem that Android is facing right now and I hope Google do more to address this and work alongside with the handset vendors so OS updates can be pushed out in a more efficient and timely manner.

The exploit code can be found here:

Android 2.0-2.1 Reverse Shell Exploit

Source: The Register

Posted in: Exploits/Vulnerabilities, Hardware Hacking

, , , ,


Latest Posts:


StaCoAn - Mobile App Static Analysis Tool StaCoAn – Mobile App Static Analysis Tool
StaCoAn is a cross-platform tool which aids developers, bug bounty hunters and ethical hackers performing mobile app static analysis on the code of the application for both native Android and iOS applications.
snallygaster - Scan For Secret Files On HTTP Servers snallygaster – Scan For Secret Files On HTTP Servers
snallygaster is a Python-based tool that can help you to scan for secret files on HTTP servers, files that are accessible that shouldn't be public and can pose a s
Portspoof - Spoof All Ports Open & Emulate Valid Services Portspoof – Spoof All Ports Open & Emulate Valid Services
The primary goal of the Portspoof program is to enhance your system security through a set of new camouflage techniques which spoof all ports open and also emulate valid services on every port.
Cambridge Analytica Facebook Data Scandal Cambridge Analytica Facebook Data Scandal
One of the biggest stories of the year so far has been the scandal surrounding Cambridge Analytica that came out after a Channel 4 expose that demonstrated the depths they are willing to go to profile voters, manipulate elections and much more.
GetAltName - Discover Sub-Domains From SSL Certificates GetAltName – Discover Sub-Domains From SSL Certificates
GetAltName it's a little script to discover sub-domains that can extract Subject Alt Names for SSL Certificates directly from HTTPS websites which can provide you with DNS names or virtual servers.
Memcrashed - Memcached DDoS Exploit Tool Memcrashed – Memcached DDoS Exploit Tool
Memcrashed is a Memcached DDoS exploit tool written in Python that allows you to send forged UDP packets to a list of Memcached servers obtained from Shodan.


Comments are closed.