Approximately 70% of Android users are still vulnerable to an Android browser (WebView) vulnerability that was disclosed in December 2012, and patched by Google from at least July 2013. The original exploit for this vulnerability was through a javascript injection into WebView within a third-party app, meaning that the app had to be compromised first for the attacker to take a man-in-the-middle position.
Now Joe Vennix and Josh Drake, researchers with Rapid7's Metasploit team, have developed a new exploit that can be used remotely. The effect is to give the attacker the keys to the device. Depending on the permissions granted to the exploited app, the attacker can potentially read the SD card content, read GPS information, steal the user's address book and access the built-in camera and microphone.
This should, in any other OS environment, not be possible to any large degree on a vulnerability patched some nine months ago. The danger comes from the structure of the Android ecosystem. One of its strengths is its open nature. This allows device manufacturers to both adopt and adapt the operating system for their own devices. But it also means that they, rather than Google, are responsible for software upgrades; and they are not very good at doing this.
"I did a quick survey of the phones available today on the no-contract rack at a couple big-box stores," notes Metasploit's Tod Beardsley in an associated blog post, "and every one that I saw were vulnerable out of the box. And yes, that's here in the U.S., not some far-away place like Moscow, Russia." In fact, he says, "over 70% of all Android devices out there are vulnerable to this bug."
Rapid7 has produced a short video to demonstrate the exploit in action – all it requires is some social engineering skills to persuade the target to scan a QR code. By including the exploit within Metasploit, "we can maybe push some vendors toward ensuring that single-click vulnerabilities like this don't last for 93+ weeks in the wild," says Beardsley.
But the real solution lies with Google. Google Glass, incidentally, runs an old version of Android (4.0.4) and is therefore vulnerable – and indeed Josh Drake has already exploited his own Glass. "It’s kind of a mess," comments Vennix, "and I personally think Google is basically standing in the spot MSFT was before it built the Trusted Computing team and started Patch Tuesday – it needs to figure out how it’s going to tackle this whole updating thing across the ecosystem, and it needs to do it fast." It is, he warns, only going to get worse as the Internet of Things grows and standardizes on embedded versions of Android.