Beware of employees' cheap Android phones

An Android vulnerability known since 2012 has recently been found to be more serious than previously thought, particularly in phones that cost less than $150.

When first discovered, the vulnerability in the WebView class used to embed a browser component to display online content in an app was thought to require an ongoing man-in-the-middle attack to be exploited. Security vendor Rapid 7 recently found that not to be the case.

Researcher Joe Vennix found that the vulnerability in Android versions below 4.2, which is early Jelly Bean, could be exploited by clicking on a link in a text message, which would send the recipient to a malicious website. At that point, the attacker could throw up whatever Web page they like, while JavaScript is downloaded in the background to exploit the vulnerability.

"In our exploit, it's just a blank page. There's nothing there," Tod Beardsley, engineering manager at Rapid7, said. "But by the time you hit the blank page, the gears are in motion."

Once loaded on the phone, malware could essentially control the device remotely. Depending on the permissions granted to applications, attackers could read the contents of the SD memory card, capture GPS info, steal the content of the address book and access the phone's camera and microphone.

Rapid7 has incorporated the exploit into Metasploit, the company's open penetration-testing tool. Because of the discovery, security professionals should be on the look out for employees accessing corporate networks with phones running Android versions below 4.2, which is early Jelly Bean.

Such phones typically sell for less than $150. Rapid7 has found them to be particularly easy to compromise, Beardsley said. "Most of what we're testing now are on these lower-end phones, and we get the most success on the cheaper phones."

Roughly half of Android phones are still running versions below 4.2, according to Google. Updating Android phones to the latest version has always been a problem, primarily because carriers and manufacturers are slow in distributing updates.

To prevent an exploit of the WebView vulnerability from getting on the corporate network, businesses should ban employee-owned phones running older versions of the operating system. More technical solutions would include running a separate container for corporate data, so it can't be moved to other apps or accessed by them.

In general, people who download Android apps from online stores other than Google Play are much more likely to load software that contains malicious code. Such stores are popular in Asia, Eastern Europe and Russia.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about GoogleRapid7Rapid 7

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts