What’s the difference between a “security researcher” and a “hacker”?

Someone has discovered a way to steal data from the microsd card in your Android through a vulnerability in the Browser app. The someone in question is Xuxian Jiang, an assistant professor at North Carolina State University. Lucky for us, he’s one of the good guys — not a “hacker” in the malicious sense of the word.

While working on an Android-related project he discovered a flaw in the Android 2.3 browser. Ironically, a similar bug was recently found — and fixed — in the Android 2.2 browser. The exploit apparently isn’t very hard to implement, but it does require some detailed knowledge of JavaScript and Android.

“We have a proof-of-concept exploit with a stock Nexus S phone and are able to successfully exploit the vulnerability to steal potentially personal information from the phone. The attack works by requiring the user to visit a malicious link.”

Essentially, a user would follow a link to a malicious website where an attacker could not only list all applications installed on the user’s device, they could also upload any apps located in the /system and /sdcard locations to a remote server.

It’s not just apps. The attacker could also upload any files stored on the phone’s sdcard — as long as they know the exact file name and directory path.

Google has reportedly contacted Jiang and have already developed a fix which will be deployed in an forthcoming update

If you’re running Android 2.3 and want to avoid the problem until the patch comes out you can temporarily disable JavaScript in the browser, or even use another browser like Dolphin or Skyfire.

Source: eWEEK