Google Android Data Stealing Flaw Uncovered

A security researcher has uncovered a way to exploit a data-leak issue affecting Google Android users.

Xuxian Jiang, an assistant professor at North Carolina State University, discovered the bug while working on what he described as an Android-related project. The flaw, he wrote in an advisory, impacts Android 2.3 and is of the same nature as a vulnerability uncovered last year by researcher Thomas Cannon on Android 2.2.

In an email to eWEEK, Jiang explained that his exploit was not particularly difficult to implement, but requires some knowledge of JavaScript and Android. The issue is mainly in the Android browser, though there is a nonbrowser component in Android that is also related to the vulnerability, he wrote.

“We have a proof-of-concept exploit with a stock Nexus S phone and are able to successfully exploit the vulnerability to steal potentially personal information from the phone,” he wrote in the advisory. “The attack works by requiring the user to visit a malicious link.”

Google prepares fix

With the exploit in tow, an attacker could potentially obtain a list of applications on the user’s device and upload the apps located in /system and /sdcard partitions to a remote server. An attacker could also read and upload any file “stored on the phone’s /sdcard” as well, as long as they know the exact file name and directory path, Jiang explained in his advisory. Attackers cannot grab all the files on the system, as the attack is not a root exploit and still runs in the Android sandbox.

A spokesperson from Google said the company was contacted by Jiang about the flaw two days ago and has developed a fix that will be rolled out in an upcoming Android 2.3 maintenance update. No firm date was given for when the update will be pushed out to users.

Jiang offered a few mitigations, such as temporarily disabling JavaScript support in the Android browser or using a third-party browser instead.

“What I can say at this point is that the previous patch indeed fixes the previously reported exploit,” Jiang told eWEEK. “However, there are other ways to exploit the same (or similar — depending on how you view the problem) flaw. As I pointed out earlier, the ultimate fix will require changing some essential components in the Android framework itself.”

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Share
Published by
Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago