Google Android security exploit made fully public by ITsec researcher

The researcher – MJ Keith of Alert Logic – apparently released the attack code, which he had previously talked about with journalists, at the HouSecCon security conference yesterday in Houston, Texas.

Reporting on this interesting turn of events, Robert McMillan of Techworld, said that the attack code could be used to compromise Android 2.1 – and earlier – driven smartphones.

"Keith says he has written code that allows him to run a simple command line shell in Android when the victim visits a website that contains his attack code", he said.

As previously reported by Infosecurity, the security bug centres on a flaw in the WebKit browser engine used by the Google Android smartphone operating system, as well as Google's Chrome web browser client.

The exploit's modus operandi appears to be similar to the 'onmouseover' flaw seen on Twitter back in September.

McMillan quotes Google as being aware of the flaw, but cites the company as saying it only affects older versions of the smartphone operating system, noting that Android 2.2 is running on more than 36% of Android smartphones.

There appears to be a spot of good news, however, as McMillan claims that, since "Android walls off different components of the operating system from each other, Keith's browser exploit does not give him full, root access to a hacked phone."

"But he can access anything that the browser can read", he noted.

What’s hot on Infosecurity Magazine?