E-Z-2-Use module provides one-click exploitation of some Android phones

by: Jonathan FeistFebruary 21, 2014

 Android Security

There is a security bug in Android that device manufacturers should know about. This bug was fixed by Google in the Android 4.2 JellyBean release, so we don’t need to panic. But so many devices out there do not have Jelly Bean or higher yet, and many more never will, so they remain vulnerable. The bug has obviously been around for a while and, truth told, is a bit of a cause for concern as it allows malicious code to run on a device with as many permissions as the app from which it originates.

We covered this bug in full detail just a couple weeks ago when we learned that Google Glass is also susceptible. But the short of it is that arbitrary HTML and Javascript code from within a WebView is able to access device files and resources with the same elevated permissions as the app that contains the compromised WebView element.


A tool called the E-Z-2-Use Metasploit module was published to the Rapid7 website, with full technical specs and instructions, which allows for one-click exploitation of this bug. In a related post on the Rapid7 blog, they explain that their goal is to help educate smartphone vendors on this vulnerability, in the hopes of seeing device updates.

We can maybe push some vendors toward ensuring that single-click vulnerabilities like this don't last for 93+ weeks in the wild.

Metasploit WebView hack

The main point of contention here is not so much the bug itself. Bugs happen, and Google has fixed it, the problem is that device manufacturers and carriers are in control of rolling the updates to their devices. Aside from security patches, this has caused rumblings for many users who spend months waiting for the newest version of Android to get to their devices, if they get it at all. Some manufacturers have tentatively committed to rolling out updates in a timely manner in the past, others are making new promises to their users now, and there is rumor that Google is even looking at restricting Android version releases now, but this does not help older devices.

If your older Android device has been cut off by its maker, and you are in the market for a new one, we might recommend you check out the Google Play Edition phones and Google’s own Nexus line of devices. Manufacturers have promised to keep the Google Play Edition phones up to date as quickly and for as long as possible. The Nexus line, including the Galaxy Nexus, Nexus 4 and most recently the Nexus 5, are updated straight from Google, so these are debatebly your best bet for continued support.

Do you feel like a visitor to misfit island as the proud owner of a forgotten device? Have you considered installing a custom ROM?

  • palzme

    Can this be avoided by using different browser ? Opera, Firefox ?

    • bob

      or a different os…

    • Jonathan Feist

      Just like bob suggests, I have not heard of any specific patches yet, so you need a new OS to avoid this bug. Different web browsers will not help as the WebView component is what gets compromised. The WebView component is what displays any web page or element of a web page, this includes advertisements within other apps, not just web pages within browsers. Check out Cyanogen Mod, or similar ROM developers if you want to try a new OS.

      From there, I want to leave off with something less scary, this exploit has been around for a long time, it is not typically used to attack devices because the permissions it can gain vary drastically from app to app. Your chances of running into any problems are low if you practice safe browsing, only install apps from trusted stores, don’t scan random QR Codes out on the street and avoid insecure wireless connections when possible.

  • Jaime

    The galaxy nexus will no longer be updated past 4.3 long live the galaxy nexus!

    • MadCowOnAStick

      …someone’s late to the party

      • Jonathan Feist

        Sorry about the confusion guys, I meant only to reference Galaxy Nexus as being a part of the Nexus family. Looking back, I didn’t make that very clear and should have just left it out.