Google Play apps with millions of installs share stock Android browser flaw

Researchers have uncovered two more popular browsers for Android that contain the same vulnerability that led experts to recommend users avoid the stock Android browser.

As reported last week, a flaw in the WebView component of the default browser on Android devices running an OS earlier than KitKat Android 4.4 — simply known as Browser — could allow attackers to bypass its Same-Origin Policy security control. The flaw could allow an attacker behind a website in one opened window to take control of a user’s authenticated session and spy on the contents in other open web pages.

While the bug left the 80 percent of Android users not on KitKat vulnerable to attacks through the Android browser, Google Chrome developer advocate Paul Irish recently warned that third-party apps that used that WebView component were also vulnerable. So while Google dropped the Android Open Source Project browser in KitKat, third-party apps and browsers that use WebView meant that KitKat users may also be affected. 

Researchers at security firm Rapid7 have now found two popular browsers available on Google Play that use WebView can also exploited using the same techniques.

“We've successfully exploited both the Maxthon Browser and the CM Browser,” said Rapid7’s Todd Beardsley, technical lead for the Metasploit Framework project.

The Maxthon Browser, whose developers claim has been installed over 600 million times, has gained 5 million to 10 million installs via Google Play, while the CM browser from Cheetah Mobile Inc, which has notched up as many as 50 million installs through Google Play.

“We're confident there are plenty of apps that use WebView that are vulnerable to this [universal cross site scripting vulnerability],” Beardsley added. 

Fortunately, users that have installed either of these apps can uninstalled them. Android users with the affected default browser may have little choice but to disable the browser since it’s less likely that it can be uninstalled.

According to Beardsley, Android users on pre-4.4 versions of the OS should consider using Google Chrome or Mozilla Firefox, assuming their hardware can handle them.

Read more: Growth in Australian security spending nearly double world average: Gartner

And he notes, while Google has apparently developed a patch for the flaw, the patch hasn’t been distributed by carriers and handset manufacturers.

The flaw was disclosed by security researcher Rafay Baloch on September 1, however remained largely unnoticed until an exploit was added to the Metasploit framework later in the month. Baloch confirmed that the browser on device from Sony, Samsung, HTC and Motorola were also affected.  

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Tags VulnerabilitiesRapid 7KitKat Android 4.4Andriod browserGoogle play appssecurity researcher Rafay Baloch

Show Comments