Google Play apps with millions of installs share stock Android browser flaw

Researchers have uncovered two more popular browsers for Android that contain the same vulnerability that led experts to recommend users avoid the stock Android browser.

As reported last week, a flaw in the WebView component of the default browser on Android devices running an OS earlier than KitKat Android 4.4 — simply known as Browser — could allow attackers to bypass its Same-Origin Policy security control. The flaw could allow an attacker behind a website in one opened window to take control of a user’s authenticated session and spy on the contents in other open web pages.

While the bug left the 80 percent of Android users not on KitKat vulnerable to attacks through the Android browser, Google Chrome developer advocate Paul Irish recently warned that third-party apps that used that WebView component were also vulnerable. So while Google dropped the Android Open Source Project browser in KitKat, third-party apps and browsers that use WebView meant that KitKat users may also be affected. 

Researchers at security firm Rapid7 have now found two popular browsers available on Google Play that use WebView can also exploited using the same techniques.

“We've successfully exploited both the Maxthon Browser and the CM Browser,” said Rapid7’s Todd Beardsley, technical lead for the Metasploit Framework project.

The Maxthon Browser, whose developers claim has been installed over 600 million times, has gained 5 million to 10 million installs via Google Play, while the CM browser from Cheetah Mobile Inc, which has notched up as many as 50 million installs through Google Play.

“We're confident there are plenty of apps that use WebView that are vulnerable to this [universal cross site scripting vulnerability],” Beardsley added. 

Fortunately, users that have installed either of these apps can uninstalled them. Android users with the affected default browser may have little choice but to disable the browser since it’s less likely that it can be uninstalled.

According to Beardsley, Android users on pre-4.4 versions of the OS should consider using Google Chrome or Mozilla Firefox, assuming their hardware can handle them.

Read more: The week in security: Celebrities face Apple's naked truth

And he notes, while Google has apparently developed a patch for the flaw, the patch hasn’t been distributed by carriers and handset manufacturers.

The flaw was disclosed by security researcher Rafay Baloch on September 1, however remained largely unnoticed until an exploit was added to the Metasploit framework later in the month. Baloch confirmed that the browser on device from Sony, Samsung, HTC and Motorola were also affected.  

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags VulnerabilitiesAndriod browserGoogle play appsKitKat Android 4.4security researcher Rafay BalochRapid 7

More about CSOEnex TestLabGoogleHTCMaxthonMozillaOriginRapid7SamsungSony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts