UPDATE: A researcher at security firm Alert Logic has published code that could be used to compromise some versions of Google’s Android Operating System. The exploit, if properly adapted, could make Android phones vulnerable to remote attacks and compromises.
Researcher MJ Keith published a Reverse Shell Exploit that affects mobile devices running Android’s 2.0 and 2.1 operating system on November 5. The shell code takes advantage of a known vulnerability affecting WebKit, a common component of Web browsers, including the one bundled with Android, that is used to render Web page content and manage Web browsing sessions. The hole could be triggered by visiting a malicious Web site, according to a description of the hole published by Mitre.
Keith presented his findings at the HouSecCon, a Houston area security conference on November 4. In his presentation, Keith demonstrated an attack using the vulnerability, as well as attacks on common mobile applications such as the Bump sharing application.
The exploit was patched and will not work on the latest version of Android, 2.2, but was tested and shown to work on a variety of mobile platforms running earlier versions of Android, including the Motorola Droid. Heise Security tested the code against Android phones produced by HTC and were able to crash the the bundled browser on the device, but not obtain control over the phone, according to a report by H-Online.com.
The shell code, posted on exploit-db.com, is hard coded to work only against a single target and was designed as a proof of concept. The vulnerability in question has been known about for months, but its impact was believed to be limited to Apple’s Safari Web browser and applications such as Epiphany and Midori that run on the Ubuntu Linux operating system. Android, which uses the same WebKit component as those applications, was discovered to be vulnerable more recently.
The security of mobile devices, and in particular Android mobile devices, has become a concern. Google’s open source operating system is a boon for handset makers and application developers, who are free to develop their own flavors of Android to run on their devices and publish applications on the Android Marketplace with few of the restrictions Apple places on its own AppStore. But Android’s growing marketshare has caught the attention of both researchers and malware developers.
Most recently, security researchers found scores of high risk security holes in one version of Android, which runs on HTC’s Droid phones. Copies of the Fakeplayer Trojan horse program, which is designed to run on Android, have also been pushed in search engine optimized Web attacks – an approach more common to the world of Windows malware than mobile devices. (Those attacks, admittedly, are mostly limited to Russia.)
The dozens of flavors of Android’s OS managed by different handset makers is beginning to become an obstacle to managing the security of the OS, also, as handset makers wait to modify Android updates to suit their own needs, delaying their dissemination.
Though the latest version of Android, 2.2, includes a fix for the vulnerability that Keith’s code exploits, only 36 percent of Android devices use 2.2, with the remainder running earlier versions, including 2.1, 1.6, or 1.5 – which either are or may be vulnerable.
In a blog post on Monday, Keith said the attack he wrote was merely a proof of concept, and just the tip of a very large iceberg of platform and application insecurity on mobile devices. His presentation included an analysis of the popular Bump sharing application, which can be used to easily transfer business contacts, photos and other data between two phones. Keith observed that the Bump application transfers that data in the clear, making it easy to intercept and read. Keith pointed out that the Bump Web site claims that exchanged data is secure during transfer, when it is not. Even more serious: it transmits the unique mobile equipment ID – or MEID- of the phone in the exchange: a serious breach of protocol that could allow a remote attacker to clone that device on a cell network.
In an interview with Threatpost, Keith said he hadn’t made an effort to contact Bump about the insecure data transfer and MEID transmission problems. He said he was unsure where responsibility for patching the WebKit hole lies – with Google, with the carriers who own the infrastructure the phones will run on, or with the handset makers who are modifying Android for their devices.
The power of modern mobile devices and their reliance on common components that are also used by PCs provides fertile ground for hackers and cyber criminals, interested in the valuable data stored on mobile phones and similar devices.
“Make no mistake, you are carrying a tiny Linux computer in your pocket,” he wrote. The fact that Android is vulnerable to these attacks is no secret to the hacking community, and this is often why the phones get rooted so quickly.”