Posts tagged: Android Vulnerability

Sep 16 2013

Android WebView Exploit Allows Hackers to Install Malicious Apps

There’s a vulnerability that affects WebView control in Android applications installed on Android devices running versions older than 4.2.

This vulnerability makes a large number of Android applications act as a hacker pipeline into user’s devices and provides a way to install malicious software, send SMSs and more.

Android WebView Exploit

WebView allows the user to view a web application (or just a web page) as a part of an ordinary Android application. The WebView class is an extension of Android’s View class that allows you to display web pages as a part of the appication’s screen layout.

All that WebView does, by default, is show a web page. When developing an Android application, if the web page you plan to load in your WebView uses JavaScript, you must enable JavaScript for your WebView.

Once JavaScript is enabled, you can create interfaces between your application code and your JavaScript code.

addJavascriptInterface (Object object, String name) method:
The addJavascriptInterface method injects a supplied Java object into WebView.
The object is injected into the JavaScript context of the main frame, using a supplied name and this allows the Java object’s methods to be accessed from JavaScript.

For applications running Android 4.1 or older, all public methods (including the inherited ones) can be accessed, so when a user’s installed application with addJavascriptInterface method loads an external webpage it can use WebView and javascript to call a java object (like a ‘Javascript pipeline’ and usage of reflection to invoke any other unregistered Java class) which allows attackers to call Android’s Java methods.

The Fix:
For applications running Android 4.2 all public methods that are annotated with JavascriptInterface can be accessed from JavaScript.

So if you develop an application for SDK version 17 or higher, you must add the @JavascriptInterface annotation to any method that you want available to your JavaScript.

If you do not provide the annotation, the method is not accessible by your web page when running on Android 4.2 or higher.

Infection Method:
Users can be infected when they click on a URL link using a vulnerable application that allows opening a Java enabled browser or web page.

The device will automatically perform the malicious actions that were ordered in the malicious web page that contain those JavaScript commands.

The commands in the JavaScript code can enable attackers to install malicious software, send SMSs, steal personal information and more.

Source: Analyzing an Android WebView exploit : AVG Official Blogs

Dec 22 2011

Backdoor in Android for No-Permissions Reverse Shell

Security expert Thomas Cannon working at viaForensics as the Director of R&D has demonstrated a custom-developed app that installs a backdoor in Android smartphones – without requiring any permissions or exploiting any security holes.

Thomas built an app which requires no permissions and yet is able to give an attacker a remote shell and allow them to execute commands on the device remotely from anywhere in the world. The functionality they are exploiting to do this is not new, it has been quietly pointed out for a number of years, and was explained in depth at Defcon-18 Presentation.

It is not a zero-day exploit or a root exploit. They are using Android the way it was designed to work, but in a clever way in order to establish a 2-way communication channel. This has been tested on Android versions ranging from 1.5 up to 4.0 Ice Cream Sandwich, and it works in a similar way on all platforms.

The application operates by instructing the browser to access a particular web page with specific parameters. This web page, and the server behind it, will, in turn, control the app by forwarding the browser to a URL that starts with a protocol prefix that is registered as being handled by the app, for example app://. This process can then be repeated and in doing so it enables two-way communication.

“In this demonstration Android’s power and flexibility were perhaps also its downfall. Other smartphone platforms may not offer the controls we are bypassing at all, and the multi-tasking capabilities in Android allowed us to run the attack almost transparently to the user. This power combined with the open nature of Android also facilitates the customisation of the system to meet bespoke security requirements. This is something we have even been involved in ourselves by implementing a proof of concept Loadable Kernel Module to pro-actively monitor and defend a client’s intellectual property as it passed through their devices. It is no surprise that we have seen adoption of Android research projects in the military and government as it can be enhanced and adapted for specific security requirements, perhaps like no other mobile platform before it.”Thomas Cannon said