A bug in the Android WebView programming interface allows attackers to remotely access on most devices running the popular OS. But it does not end here, hackers could easily access handset camera and file system simply creating a specifically crafted web page, and via a Man-in-the-Middle attack attackers could deliver trojanized app update to infect the victim’s mobile. The situation is critical, nearly 70 percent of Android based handsets are vulnerable because they run Android versions prior to 4.2. The economy of an attack is to the advantage of those who offend, it is always easier for the attacker to find the tools and knowledge to compromise mobile devices. Let’s consider the above vulnerability in Android WebView programming interface, Rapid 7 recently released a new module for the Metasploit framework to “get shell” on most Android-running devices.
To secure mobile devices, carriers and manufacturers have to adopt an effective strategy to mitigate a growing number of cyber threats. As usual the interval of time between bug discovery and the release of the fix is too long, the Android WebView programming interface was identified in December 2012, but Google fixed it in November 2013 releasing the Android version 4.2.
[The flaw] “kind of a huge deal” “In a completely unsurprising twist, I did a quick survey of the phones available today on the no-contract rack at a couple big-box stores, and every one that I saw were vulnerable out of the box,” “And yes, that’s here in the U.S., not some far-away place like Moscow, Russia.” “I’m hopeful that by publishing an E-Z-2-Use Metasploit module that exploits it, we can maybe push some vendors toward ensuring that single-click vulnerabilities like this don’t last for 93+ weeks in the wild,” said Tod Beardsley, technical lead for the Metasploit Framework
In this case the end user is helpless, he can’t fix the problem and he just has to wait for the next security update. There is the concrete risk that bad actors will start to use the Metasploit module on a large scale, this scenario could have serious repercussion on the security point of view.
(Security Affairs – Android, Matasploit)