Android 2.1 and Below Susceptible to Web-Based Attack
In the computer industry you know you’ve succeeded with your entry into any given market when your footprint is big enough that people start writing exploits for your platform. Apple bragged for years about how “secure” their OS was because there weren’t any viruses on a Mac. Their popularity picked up, and guess what? Yup, people started writing viruses, malware, and other exploits for Mac.
As smartphones become more and more computer-like and their footprint in the market gets bigger, the likelihood of them being targeted for attack becomes greater. Such is the case with a recent exploit found to exist in the web browser app that comes with Android 2.1 and below.
This attack, announced at the HouSecCon conference in Houston by M.J. Keith, a “security researcher” with Alert Logic, will allow a malicious author to “run a simple command line shell” when the target of the attack visits a website that contains his attack.
The hole that Keith is exploiting is in the opensource WebKit browser engine that Google uses in the Android OS — not in the operating system itself.
“We’re aware of an issue in WebKit that could potentially impact only old versions of the Android browser,” said Google spokesman Jay Nancarrow in an e-mail. “The issue does not affect Android 2.2 or later versions.”
Android 2.2, Froyo, runs on less than 40% of Android phones.
Thankfully, because of the way Android segments different apps from each other, the browser exploit doesn’t give complete access to a phone — not even a hacked or “rooted” one. However, anything that the browser can read, the attack can exploit.
No mention was made of Safari, the web browser used in iOS devices. It uses the same WebKit engine as the browser in Android.