Researchers in China published a trove of information on previously unknown (zero day) vulnerabilities in popular applications for Google’s Android mobile operating system on Wednesday, including mobile browsers and at least one mobile wallet application.
The vulnerabilities were found in a wide range of Android applications and components, including Webkit, which is used to render Web pages on Android and iOS devices, mobile versions of the Firefox and Opera Web browsers, applications for posting to Twitter and more. The vulnerabilities vary in severity, but many would allow a malicious hacker to access personal data on the device including sms messages and personal contacts, and manipulate or take control of social networking- and other third party services accessed from the vulnerable application.
Research on 6 zero day vulnerabilities was published on Wednesday by a group calling itself 80vul Quality Assurance Group. Little is known about 80vul, which describes itself as “a group of dedicated young people” on their Web page. Those vulnerabilities include cross site scripting, cross domain and cross protocol vulnerabilities in Webkit – a common component in Android, iOS and Max OSX devices. The researchers also found a cross site scripting vulnerability on a version of the Google Reader application for HTC Mobile devices that could allow a malformed (“evil”) RSS feed to access data on the device.
The 80vul group also found cross application scripting holes in a variety of popular mobile browsers for Android, including Mozilla’s firefox, the Opera browser and the native Android Web browser. The holes could allow attackers to point the browser to a malicious URL without the owner’s consent.
In a separate posting in December, faculty and students in the Department of Computing at The Hong Kong Polytechnic University in Hong Kong have published a separate group of 19 zero day vulnerabilities. They include a vulnerability in the UberSocial Twitter application that could allow an attacker to access a victim’s Twitter feed. (CVE-2011-4700). A vulnerability in the QIWI Wallet for Android would allow a malicious application to access and manipulate the victim’s credit cards and mobile banking accounts, the researchers warned on their Web page. (CVE-2011-4770). The Android Market records 76,000 downloads for the UberSocial application and around 6,000 for QIWI Wallet.
The vulnerabilities can all be triggered by visiting a compromised Web site that has been configured to exploit the vulnerabilities, said Tim Armstrong, a mobile security researcher for Kaspersky Lab.
Problems with Webkit, a Web page rendering technology, are well known. Cross site scripting holes and other types of information disclosure vulnerabilities are also common in the world of mobile applications, said Armstrong. “Android is particularly bad because pretty much anyone can be a developer,” he said. With many novice or just sloppy programmers pushing mobile applications onto online marketplaces, programming errors can make it easy to trick the applications into divulging sensitive information from the phone, or acting maliciously. The vulnerabilities are more a sampling of what is likely widespread within the mobile application space, rather than a special case of insecure applications, Armstrong said.
Security has become a sticking point for Google. The company has so far kept a loose reign on its Android Market, allowing registered publishers to upload their applications without scrutiny. That has led to a number of security scandals, including infections of the DroidDream and Plankton malware, which hid in infected versions of popular Android applications, and a 472 percent jump in Android malware in the first 10 months of 2011.
On February 2, Google announced a new automated scanning service, dubbed “Bouncer” That will scan the Market for potentially malicious software. Google said the service, which has been quietly been tested has already decreased the number of potentially malicious applications on the Market by 40%.
