{"id":4847,"date":"2014-02-19T10:00:57","date_gmt":"2014-02-19T15:00:57","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=4847"},"modified":"2014-02-19T10:00:57","modified_gmt":"2014-02-19T15:00:57","slug":"e-z-2-use-attack-code-exploits-critical-bug-in-majority-of-android-phones","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2014\/02\/19\/e-z-2-use-attack-code-exploits-critical-bug-in-majority-of-android-phones\/","title":{"rendered":"E-Z-2-Use attack code exploits critical bug in majority of Android phones"},"content":{"rendered":"

\"\"<\/a><\/p>\n

Recently-released attack code exploiting a critical Android vulnerability gives attackers a point-and-click interface for hacking a majority of smartphones and tablets that run the Google operating system, its creators said.<\/p>\n

The attack was published last week as a module to the open-source Metasploit exploit framework used by security professionals and hackers alike. The code exploits a critical bug in Android’s WebView programming interface that was disclosed 14 months ago. The security hole typically gives attackers remote access to a phone’s camera and file system and in some cases also exposes other resources, such as geographic location data, SD card contents, and address books. Google patched the vulnerability in November with the release of Android 4.2, but according to the company’s figures, the fix is installed on well under half of the handsets it tracks.<\/p>\n

“This vulnerability is kind of a huge deal,” Tod Beardsley, a researcher for Metasploit maintainer Rapid7, wrote in a recent blog post. “I’m hopeful that by publishing an E-Z-2-Use Metasploit module that exploits it, we can maybe push some vendors toward ensuring that single-click vulnerabilities like this don’t last for 93+ weeks in the wild. Don’t believe me that this thing is that old? Just take a look at the module’s references if you don’t believe me.”<\/p>\n

The WebView vulnerability allows attackers to inject malicious JavaScript into the Android browser and, in some cases, other apps. In turn, it helps attackers gain the same level of control as the targeted program. The easiest way to exploit the bug is to lure a vulnerable user to a booby-trapped webpage. Within seconds, the site operator will obtain a remote shell window that has access to the phone’s file system and camera. In some cases, the exploit can also be triggered by performing a man-in-the-middle attack while the victim is on an unsecured Wi-Fi network. By hijacking the app’s update process, attackers can gain control over the same resources already granted to the app, including permissions such as access to SD cards and geographic data.<\/p>\n

Popping a shell<\/p>\n

The threat is closely related to one Ars wrote about in September. In addition to making the native Android browser included in vulnerable versions of the mobile operating system susceptible, the weakness can also affect third-party apps developed with older code libraries. Readers can see a video of the newly released Metasploit exploit module in action here. The resulting command shell can do anything the native Android browser can do.<\/p>\n

Rapid7’s Beardsley raises a good point about the proliferation of devices still running out-of-date versions of Android with known security vulnerabilities. Indeed, it’s not hard to find big-name sellers offering handsets that are vulnerable right out of the box. Ars has chronicled the checkered, slow history of Android updates before, as well as efforts by civil liberties groups to force US regulators to take action. Until carriers and sellers can be counted on to provide security updates for all their customers, the best bet for Android users is to use a Google-managed device such as the Nexus 4, which provides timely security updates directly from Google.<\/p>\n

via E-Z-2-Use attack code exploits critical bug in majority of Android phones | Ars Technica<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

Recently-released attack code exploiting a critical Android vulnerability gives attackers a point-and-click interface for hacking a majority of smartphones and […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[3,9,10],"tags":[65,1176],"class_list":["post-4847","post","type-post","status-publish","format-standard","hentry","category-hardware","category-software","category-technology","tag-android","tag-vulnerabilites"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-1gb","jetpack-related-posts":[{"id":9804,"url":"https:\/\/nccomputertech.com\/techtalk\/2024\/11\/08\/maximum-iceland-scenario-data-caps-3rd-party-android-stores-nuclear-amazon\/","url_meta":{"origin":4847,"position":0},"title":"Maximum Iceland Scenario – Data Caps, 3rd Party Android Stores, Nuclear Amazon","author":"NCCT","date":"November 8, 2024","format":false,"excerpt":"https:\/\/youtu.be\/P5MkCwktKz0 Data Caps, 3rd Party Android Stores, Nuclear Amazon \u2022 Google must crack open Android for third-party stores, rules Epic judge \u2022 Google asks 9th Circuit for emergency stay, says Epic ruling \u2018is dangerous\u2019 \u2022 Canceling subscriptions is about to get easier \u2022 The FCC is looking into the impact\u2026","rel":"","context":"In "Software"","block_context":{"text":"Software","link":"https:\/\/nccomputertech.com\/techtalk\/category\/software\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/P5MkCwktKz0\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9330,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/04\/03\/security-now-657-protonmail\/","url_meta":{"origin":4847,"position":1},"title":"Security Now 657: ProtonMail","author":"NCCT","date":"April 3, 2018","format":false,"excerpt":"https:\/\/youtu.be\/OeSZg-ph3Ns This week we discuss \"DrupalGeddon2\", Cloudflare's new DNS offering, a reminder about GRC's DNS Benchmark, Microsoft's Meltdown meltdown, the persistent iOS QR Code flaw and its long-awaited v11.3 update, another VPN user IP leak, more bug bounty news, an ill-fated-seeming new eMail initiative, Free electricity, a policy change at\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/OeSZg-ph3Ns\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9452,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/11\/19\/internal-bug-discovery-security-now-693\/","url_meta":{"origin":4847,"position":2},"title":"Internal Bug Discovery – Security Now 693","author":"NCCT","date":"November 19, 2018","format":false,"excerpt":"https:\/\/youtu.be\/ClVI9PMQGCY Australia vs Encryption, Google+ Bugs Hasten its Demise -- Australia's recently passed anti-encryption legislation -- Details of a couple more mega-breaches including a bit of Marriott follow-up -- A welcome call for legislation from Microsoft -- A new twist on online advertising click fraud -- The DHS is interested\u2026","rel":"","context":"In "Microsoft"","block_context":{"text":"Microsoft","link":"https:\/\/nccomputertech.com\/techtalk\/category\/microsoft\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/ClVI9PMQGCY\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9341,"url":"https:\/\/nccomputertech.com\/techtalk\/2018\/05\/20\/this-week-in-tech-667-give-me-your-history-hat\/","url_meta":{"origin":4847,"position":3},"title":"This Week in Tech 667: Give Me your History Hat","author":"NCCT","date":"May 20, 2018","format":false,"excerpt":"https:\/\/youtu.be\/1aKshseSHiQ Microsoft's new Surface Hub 2. Google Duplex freaks everyone out. GDPR shouldn't freak people out - unless you work in adtech. Fortnite is coming to Android. Apple caves in to China again, pays some Irish taxes, and goes shopping for a new campus. Washington D.C is full of Stingray\u2026","rel":"","context":"In "Microsoft"","block_context":{"text":"Microsoft","link":"https:\/\/nccomputertech.com\/techtalk\/category\/microsoft\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/1aKshseSHiQ\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9526,"url":"https:\/\/nccomputertech.com\/techtalk\/2019\/03\/03\/outrage-moms-this-week-in-tech-708\/","url_meta":{"origin":4847,"position":4},"title":"Outrage Moms – This Week in Tech 708","author":"NCCT","date":"March 3, 2019","format":false,"excerpt":"https:\/\/youtu.be\/rzRHMGNsnyI The end of smart-phones, AI fake people, Elon in the ditch again, and more. -- MWC 2019 and the Future of Smartphones and Wearables -- This Person Does Not Exist -- OpenAI and the Text Generator Too Dangerous to Exist -- Outrage Mobs and Twitter -- China's Social Credit\u2026","rel":"","context":"In "Technology"","block_context":{"text":"Technology","link":"https:\/\/nccomputertech.com\/techtalk\/category\/technology\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/rzRHMGNsnyI\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":9906,"url":"https:\/\/nccomputertech.com\/techtalk\/2025\/02\/11\/hw-news-rtx-50-continues-to-not-exist-strange-intel-cpu-amd-vulnerability-nvidia-stock-drop\/","url_meta":{"origin":4847,"position":5},"title":"HW News – RTX 50 Continues to Not Exist, Strange Intel CPU, AMD Vulnerability, NVIDIA Stock Drop","author":"NCCT","date":"February 11, 2025","format":false,"excerpt":"https:\/\/youtu.be\/LEjhJubhF9k In hardware news this week, Intel launches a strangely shaped CPU IHS, AMD has a vulnerability exposed by ASUS by accident, NVIDIA's stock drop plummets, the 50 series continues to be a retail myth, and the Steam Brick mod gives us something positive and fun for the week. News\u2026","rel":"","context":"In "Hardware"","block_context":{"text":"Hardware","link":"https:\/\/nccomputertech.com\/techtalk\/category\/hardware\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/LEjhJubhF9k\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/4847","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=4847"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/4847\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=4847"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=4847"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=4847"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}