Browser Exploit for Android Highlights Google’s Update Problem

A security researcher has discovered a way to take over roughly 70 percent of Android devices via a Web page or app. It’s not known if anyone’s actually using the exploit to attack people’s phones, but the researcher’s findings are nonetheless a reminder that Google faces a growing headache because it lacks any way to effectively distribute security updates to the hundreds of millions of devices running its software worldwide. Many of those devices have outdated versions of Android.

The new exploit was developed by Joe Vennix, a software engineer at security company Rapid7, who last week added the exploit to the company’s Metasploit software used to test devices and systems for known vulnerabilities. His code makes use of a bug, first disclosed in December 2012, in the Web browser built into Android. The exploit could be used to take over a phone after directing someone to a Web page with the malicious code embedded, or by delivering the code via an app, many of which display content such as ads using Android’s browser capabilities. Vennix found that one Baidu app, for example, was vulnerable to the exploit when installed on a device using the version of Android released in December 2013. Another researcher found that the exploit works on Google Glass.

Vennix estimates that 70 percent of Android devices are vulnerable to the exploit, based on Google’s figures for the proportion of devices running different versions of Android. And crucially, although Google released a new version of Android with a fix for the underlying bug in November 2012, most devices running the software will likely remain vulnerable to the attack for as long as they remain in use because they will not be updated.

Google has convinced many manufacturers to install Android on their products, but few are quick about rolling out new versions of the software. Nor does Google have any mechanism to push updates directly to devices, such as those built into desktop operating systems including Microsoft Windows or Mac OS. (...)

Over a billion Android devices have been activated since the software launched in October 2008, according to Google. Android devices are hardly plagued by malware to the extent that PCs are, and the use of app stores helps limit the spread of malicious code. Even so, the incidence of malware is growing and expected to get significantly worse (see “Attacks on Android Intensify” and “New Business Models for Malware to Bring PC Security Woes to Mobile”).

by Tom Simonite, MIT Technology Review |  Read more:

Image www.norebbo.com: via: