Android devices prior to version 4.2.1 of the operating system—70 percent of the phones and tablets in circulation—have been vulnerable to a serious and simple remote code execution vulnerability in the Android browser for more than 93 weeks.
Metasploit recently added an exploit module that targets the vulnerability, which was patched in 4.2.2 released one year ago. However, with carriers and device makers reticent to be quick with updates and security patches, close to three-quarters of the Android user base is at risk for attack. For some perspective, Android Central reports that KitKat, the latest version of Android, has yet to hit 2 percent adoption.
“I did a quick survey of the phones available today on the no-contract rack at a couple big-box stores, and every one that I saw were vulnerable out of the box,” said Rapid7 senior manager of engineering Tod Beardsley. “And yes, that’s here in the U.S., not some far-away place like Moscow, Russia.”
The exploit module, built by contributors Joe Vennix and Joshua Drake, could enable access to the device camera, location data, information stored on a SD card and even the user’s address book. Drake said he was recently able to get code execution on Google Glass using the exploit.
The attack exploits a vulnerability that was disclosed in December 2012. The problem lies with the addJavascriptInterface in WebView. Applications are able to inject Java objects into WebView, including malicious JavaScript which can cause unwanted behavior such as sending expensive SMS messages to premium numbers or giving attackers access to data on the phone. JavaScript can also get around browser security controls, said researcher Neil Bergman, a security consultant who disclosed the vulnerability.
Rapid7 said an attacker would need to be man-in-the-middle on a device in order to exploit it, something its new exploit module simplifies. The company demonstrates the exploit in a video, which is triggered in this case by a malicious QR code the victim scans with their Android smartphone and opens a command shell for the attacker.
The best mitigation is to update Android to 4.2.2 or higher, but that isn’t always feasible for users. Device manufacturers and carriers control when updates are rolled out, despite the fact that Google is generally prompt with patches and updates.
The carriers and manufacturers have been under fire from privacy and security experts and even the U.S. Federal Trade Commission. Last April, the American Civil Liberties Union asked the FTC to investigate four major carriers, accusing them of deceptive business practices and knowingly selling defective phones to consumers that are shy on security updates and patches. The ACLU requested that the FTC force carriers to warn customers about unpatched vulnerabilities, allow customers with vulnerable phones to escape their contracts without early termination penalties, and provide that customers may exchange at no cost their phones for another that receives regular security updates, or return the phone for a full refund.
Last February, the FTC reached a damning settlement with device makers HTC America. The FTC forced HTC to enact expensive security enhancements that included regular security patches for Android devices, establish a security program that focuses on developer security, and submit to security assessments.