With over 2 billion users, Android has an impressive number of devices to protect. But a "serious" bug that has not been detected for more than five years – that attackers could exploit to spy on a user and access their accounts – is reminiscent of the impressive open source scope of the game. Android also creates challenges for the defense of a decentralized system. ecosystem.
Discovered by Sergey Toshin, a mobile security researcher at Positive Technologies' threat detection company, the bug comes from Chromium, the open source project behind Chrome and many other browsers. As a result, an attacker could target not only Chrome for mobile, but also other popular mobile browsers based on Chromium. More specifically, Chromium Android has a feature called WebView, which works behind the scenes when you click on a link in a game or social network. this is what allows these web pages to load into a kind of mini-browser without having to leave the application. By using the Chromium vulnerability, hackers can use WebView to retrieve user data and gain broad access to their devices.
"An attacker could launch an assault on any Chromium-based mobile browser on an Android device, including Google Chrome, the Samsung web browser, and the Yandex browser, and retrieve data from its WebView," says Toshin.
Worse, the bug is present in all versions of Android since KitKat version 4.4 of 2013, the first version of Android to listen to "Ok Google" and the first to include emojis in Google Keyboard. Really, it was the days.
"In most cases, it's almost impossible to detect it."
Sergey Toshin, Positive Technologies
An attacker would get the most reliable and durable access to the device from a victim by prompting him to install a malicious application integrating WebView and exploiting the bug. But Toshin points out that attackers could also use the bug to gain inappropriate access to the device by prompting users to click on a malicious link that would then open via the Android Instant App feature. This component allows users to run an app version immediately without actually installing it. In this scenario, an attacker would not have persistent and persistent access, but would have a limited time window to start the transfer of data or information from a user on his mobile accounts. In any case, the methods are silent and discreet compromises.
"In most cases, it's almost impossible to detect," says Toshin.
Positive Technologies revealed the bug to Google in January and the company corrected it as part of Chrome 72 at the end of the month. Devices running Android 7 or later should be able to get update through general Chrome updates, but devices running Android versions 5 and 6 will need to install a special update for WebView via Google Play. This is useful for Android owners with automatic updates enabled in the old, but if not, they should install them themselves. Toshin and Google also told WIRED that Android-based devices that do not include Google Play, such as Amazon Kindles, will require their manufacturers to send them a special patch. This is where the fragmented population of Android creates problems getting patches on devices that need them.
Google has also indicated that it has not released a patch for Android 4.4 because its operating system is more than five years old and still only works on what the company characterizes as a small percentage of devices. But according to Google's own figures, 7.6% of Android devices still work on KitKat. On an installation basis of 2 billion, this represents about 152 million. This is also more than the current version of Android, Oreo 8.1, which adopts at 7.5%.
Google has made every effort to improve its ability to apply patches on multiple devices and minimize the barriers caused by variations in the manufacturer's implementation. But there is still a long way to go. And because of the omnipresence of Android in all contexts and at all price levels in the world, older versions of Android remain in use for a very long time.
More great cable stories