Beware of employees' cheap Android phones

Vulnerability discovered back in 2012 exploits Android phones running version 4.2 and earlier

An Android vulnerability known since 2012 has recently been found to be more serious than previously thought, particularly in phones that cost less than $150.

[iOS vs. Android: Which is more secure?]

When first discovered, the vulnerability in the WebView class used to embed a browser component to display online content in an app was thought to require an ongoing man-in-the-middle attack to be exploited. Security vendor Rapid 7 recently found that not to be the case.

Researcher Joe Vennix found that the vulnerability in Android versions below 4.2, which is early Jelly Bean, could be exploited by clicking on a link in a text message, which would send the recipient to a malicious website. At that point, the attacker could throw up whatever Web page they like, while JavaScript is downloaded in the background to exploit the vulnerability.

"In our exploit, it's just a blank page. There's nothing there," Tod Beardsley, engineering manager at Rapid7, said. "But by the time you hit the blank page, the gears are in motion."

Once loaded on the phone, malware could essentially control the device remotely. Depending on the permissions granted to applications, attackers could read the contents of the SD memory card, capture GPS info, steal the content of the address book and access the phone's camera and microphone.

Rapid7 has incorporated the exploit into Metasploit, the company's open penetration-testing tool. Because of the discovery, security professionals should be on the look out for employees accessing corporate networks with phones running Android versions below 4.2, which is early Jelly Bean.

Such phones typically sell for less than $150. Rapid7 has found them to be particularly easy to compromise, Beardsley said. "Most of what we're testing now are on these lower-end phones, and we get the most success on the cheaper phones."

Roughly half of Android phones are still running versions below 4.2, according to Google. Updating Android phones to the latest version has always been a problem, primarily because carriers and manufacturers are slow in distributing updates.

To prevent an exploit of the WebView vulnerability from getting on the corporate network, businesses should ban employee-owned phones running older versions of the operating system. More technical solutions would include running a separate container for corporate data, so it can't be moved to other apps or accessed by them.

[VPN flaw reported in latest version of Android]

In general, people who download Android apps from online stores other than Google Play are much more likely to load software that contains malicious code. Such stores are popular in Asia, Eastern Europe and Russia.

Copyright © 2014 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)