A Serious vulnerability has been discovered in the Web by default web browser installation on a large number (Approximately 70%) of Android,mobile’s that could allow an attacker to hijack users’ open websites . The exploit targets vulnerabilities in Android versions 4.2.1 and all older versions and was first disclosed right at the start of September.
15 Million Mobile Devices are infected with malware, and most of those run Android,according to a new report by Alcatel-Lucent's Kindsight Security Labs.
Researchers found that "increasingly applications are spying on device owners,
stealing their personal information and pirating their data minutes, causing bill shock." Mobile
spyware, in particular, is on the rise. Four of the 10 top threats are spyware, including
SMSTracker, which allows the attacker to remotely track and monitor all calls, SMS/MMS
messages, GPS locations, and browser histories of an Android device.
Mobile infections increased by 17 percent in the first half of 2014, raising the overall infection rate to 0.65 percent.
The frequency of attacks has increased as more and more consumers use broadband. The report
shows that malware infections have grown by 17 percent during the first half of 2014, which is
almost double the rate observed in 2013. Following this trend, the residential infections of
fixed networks also jumped to 18 percent towards the end of June, which was just 9 percent at the end of 2013.
The Android bug has been called a “privacy disaster” by Tod Beardsley, a developer for the Metasploit security toolkit, and in order to explain you why, he has promised to post a video that is “sufficiently shocking.”
By malforming a javascript: URL handler with a prepended null byte, the AOSP, or Android Open Source Platform (AOSP) Browser) fails to enforce the Same-Origin Policy (SOP) browser security control,” Tod Beardsley of Rapid7 said in a blog post.
“What this means is any arbitrary website – say, one controlled by a spammer – can peek into the contents of any other web page,” Beardsley said---- “If you went to an attackers site while you had your web-mail open in another window, the attacker could scrape your email data and see what your browser sees.”
“Worse, he could snag a copy of your session cookie and hijack your session completely, and read and write webmail on your behalf.
Baloch also found the AOSP browser installed on Android 4.2.1 is vulnerable to Same Origin Policy (SOP) bypass that allows one website to steal data from another. He then tested his findings on numerous devices, including Q.mobile Noir , Sony Xperia , Samsung Galaxy S3, HTC Wildfire and Motorola Razr and found that on all mobile devices it works .
But, anyone running the latest release, Android 4.4, is not affected, which means that as many as 75 per cent of Android devices and millions of Android users are vulnerable to the attack, according to Google’s own statistics.
15 Million Mobile Devices are infected with malware, and most of those run Android,according to a new report by Alcatel-Lucent's Kindsight Security Labs.
Researchers found that "increasingly applications are spying on device owners,
stealing their personal information and pirating their data minutes, causing bill shock." Mobile
spyware, in particular, is on the rise. Four of the 10 top threats are spyware, including
SMSTracker, which allows the attacker to remotely track and monitor all calls, SMS/MMS
messages, GPS locations, and browser histories of an Android device.
Mobile infections increased by 17 percent in the first half of 2014, raising the overall infection rate to 0.65 percent.
The frequency of attacks has increased as more and more consumers use broadband. The report
shows that malware infections have grown by 17 percent during the first half of 2014, which is
almost double the rate observed in 2013. Following this trend, the residential infections of
fixed networks also jumped to 18 percent towards the end of June, which was just 9 percent at the end of 2013.
The Android bug has been called a “privacy disaster” by Tod Beardsley, a developer for the Metasploit security toolkit, and in order to explain you why, he has promised to post a video that is “sufficiently shocking.”
By malforming a javascript: URL handler with a prepended null byte, the AOSP, or Android Open Source Platform (AOSP) Browser) fails to enforce the Same-Origin Policy (SOP) browser security control,” Tod Beardsley of Rapid7 said in a blog post.
“What this means is any arbitrary website – say, one controlled by a spammer – can peek into the contents of any other web page,” Beardsley said---- “If you went to an attackers site while you had your web-mail open in another window, the attacker could scrape your email data and see what your browser sees.”
“Worse, he could snag a copy of your session cookie and hijack your session completely, and read and write webmail on your behalf.
Baloch also found the AOSP browser installed on Android 4.2.1 is vulnerable to Same Origin Policy (SOP) bypass that allows one website to steal data from another. He then tested his findings on numerous devices, including Q.mobile Noir , Sony Xperia , Samsung Galaxy S3, HTC Wildfire and Motorola Razr and found that on all mobile devices it works .
But, anyone running the latest release, Android 4.4, is not affected, which means that as many as 75 per cent of Android devices and millions of Android users are vulnerable to the attack, according to Google’s own statistics.
“Android does not currently have a Vulnerability Rewards Program. As far as publicly crediting for the vulnerability I have started maintaining a list of acknowledgements here. Given that this was published before we had a chance to provide patches, this specific report would not qualify.”
SOLUTION ......
In order to protect yourself,don't download all kind's of untrusted apps and links and if you already downloaded them then just Disable the BROWSER and Reboot from your Android devices by going to Settings > Apps > All and looking for its icon. By opening it, you’ll find a DISABLE button, Select it and disable the Browser and don't forget to reboot your android system.
This is written from an inspired source and to create awareness , but not to hurt anyone ....
-Bhaskar
No comments:
Post a Comment