What’s the difference between a “security researcher” and a “hacker”?
Someone has discovered a way to steal data from the microsd card in your Android through a vulnerability in the Browser app. The someone in question is Xuxian Jiang, an assistant professor at North Carolina State University. Lucky for us, he’s one of the good guys — not a “hacker” in the malicious sense of the word.
“We have a proof-of-concept exploit with a stock Nexus S phone and are able to successfully exploit the vulnerability to steal potentially personal information from the phone. The attack works by requiring the user to visit a malicious link.”
Essentially, a user would follow a link to a malicious website where an attacker could not only list all applications installed on the user’s device, they could also upload any apps located in the /system and /sdcard locations to a remote server.
It’s not just apps. The attacker could also upload any files stored on the phone’s sdcard — as long as they know the exact file name and directory path.
Google has reportedly contacted Jiang and have already developed a fix which will be deployed in an forthcoming update