Android 2.1 and Below Susceptible to Web-Based Attack


In the computer industry you know you’ve succeeded with your entry into any given market when your footprint is big enough that people start writing exploits for your platform. Apple bragged for years about how “secure” their OS was because there weren’t any viruses on a Mac. Their popularity picked up, and guess what? Yup, people started writing viruses, malware, and other exploits for Mac.

As smartphones become more and more computer-like and their footprint in the market gets bigger, the likelihood of them being targeted for attack becomes greater. Such is the case with a recent exploit found to exist in the web browser app that comes with Android 2.1 and below.

This attack, announced at the HouSecCon conference in Houston by M.J. Keith, a “security researcher” with Alert Logic, will allow a malicious author to “run a simple command line shell” when the target of the attack visits a website that contains his attack.

The hole that Keith is exploiting is in the opensource WebKit browser engine that Google uses in the Android OS — not in the operating system itself.

“We’re aware of an issue in WebKit that could potentially impact only old versions of the Android browser,” said Google spokesman Jay Nancarrow in an e-mail. “The issue does not affect Android 2.2 or later versions.”

Android 2.2, Froyo, runs on less than 40% of Android phones.

Thankfully, because of the way Android segments different apps from each other, the browser exploit doesn’t give complete access to a phone — not even a hacked or “rooted” one. However, anything that the browser can read, the attack can exploit.

No mention was made of Safari, the web browser used in iOS devices. It uses the same WebKit engine as the browser in Android.

Source: PC World


Share This Post
What's your reaction?
Love It
Like It
Want It
Had It
Hated It
About The Author
Joe Levi
Joe graduated from Weber State University with two degrees in Information Systems and Technologies. He has carried mobile devices with him for more than a decade, including Apple's Newton, Microsoft's Handheld and Palm Sized PCs, and is Pocketnow's "Android Guy". By day you'll find Joe coding web pages, tweaking for SEO, and leveraging social media to spread the word. By night you'll probably find him writing technology and "prepping" articles, as well as shooting video. Read more about Joe Levi here.