Smartphones and other gadgets running Android 4.4 or later contain a bug that can be exploited by rogue apps to steal website login tokens and spy on owners' browsing histories.
Those stolen authentication tokens can be used by a malicious application, such as a dodgy quiz app or game, to log into sites as the gizmo's owner to siphon off their information or meddle with their online accounts.
This is according to Sergey Toshin of security house Positive Technologies, who took credit for the discovery and reporting of the flaw, CVE-2019-5765, which lies within Google Chrome on Android. With patches out since February, Positive today went public with details of the security blunder.
The bug was introduced into Android starting from version 4.4, aka KitKat which was released in 2013. If you are running Chrome on Android version 72.0.3626.81 or later on Android 7.0 or higher, you are patched and safe from this vulnerability. This update should have been automatically applied by now – check for Chrome updates if you're behind. If you're running an earlier flavor of Android, you can try to update the operating system's Android System WebView component via Google Play services.
The security flaw is within the Chromium browser engine, which powers Chrome on Android, and WebView, which apps can use to render web content. From Android 7.0 and onward, Chrome implements WebView using its Chromium engine, and pre-7.0, WebView is a separate component, hence why there are two separate patch routes depending on which flavor of the OS you're using. Android 7 or higher? Update Chrome. Pre-7? Update WebView.
"Since Android 7.0, WebView has been implemented via Google Chrome and, therefore, updating the browser is enough to fix the bug," a spokesperson for Positive told us this week. "On earlier Android versions, WebView must be updated via Google Play. Users who do not have Google Play Services on their smartphones should wait for a WebView update from the device manufacturer."
Google takes a page from Microsoft of old and revives browser ballot on AndroidREAD MORE
As mentioned, applications can call upon WebView to display webpages within their user interfaces. We're told that, unfortunately, on vulnerable devices, a malicious app can abuse "an exposed debugging endpoint" via the component to access browser data, including authentication tokens, and browser history. A program that was legit and benign could be sold to an unscrupulous developer, who could push out an update that exploits this flaw on unpatched devices, for instance.
"The WebView component is used in most Android mobile apps, which makes such attacks extremely dangerous," said Leigh-Anne Galloway, Positive's Cyber Security Resilience Lead. "The most obvious attack scenario involves little-known third-party applications. After an update containing a malicious payload, such applications could read information from WebView."
The Samsung Internet Browser, Yandex Browser, and other browsers that use a vulnerable version of Chromium are also at risk. According to Positive, a miscreant even abuse WebView in a dodgy instant app that runs without installing any code, and begin collecting user data in a log file and potentially exfiltrate it.
"An attacker could specify the path to the file where the log should be written and even overwrite existing files, but he could not completely control the format of the recorded file, only some parts of the text," Toshin explained to The Register.
"This is because, for example, any third-party applications can open any links in Chrome, without requiring any rights, therefore, the malicious application could activate the profiler, open an arbitrary link, some of the data would have been recorded in an arbitrary file, and then the profiler can be deactivated."
Positive reiterated that while the most recent versions of Android will get a fix by updating to the latest version of Chrome, those running anything older than Android 7.0 will need to patch WebView separately, either via Google Play or through an over-the-air update from the device manufacturer. ®