E-Z-2-Use module provides one-click exploitation of some Android phones

February 21, 2014
177

Β Android Security

There is a security bug in Android that device manufacturers should know about. This bug was fixed by Google in the Android 4.2 JellyBean release, so we don’t need to panic. But so many devices out there do not have Jelly Bean or higher yet, and many more never will, so they remain vulnerable. The bug has obviously been around for a while and, truth told, is a bit of a cause for concern as it allows malicious code to run on a device with as many permissions as the app from which it originates.

We covered this bug in full detail just a couple weeks ago when we learned that Google Glass is also susceptible. But the short of it is that arbitrary HTML and Javascript code from within a WebView is able to access device files and resources with the same elevated permissions as the app that contains the compromised WebView element.

sergey-brin-google-glass

A tool called the E-Z-2-Use Metasploit module was published to the Rapid7 website, with full technical specs and instructions, which allows for one-click exploitation of this bug. In a related post on the Rapid7 blog, they explain that their goal is to help educate smartphone vendors on this vulnerability, in the hopes of seeing device updates.

We can maybe push some vendors toward ensuring that single-click vulnerabilities like this don't last for 93+ weeks in the wild.

Metasploit WebView hack

The main point of contention here is not so much the bug itself. Bugs happen, and Google has fixed it, the problem is that device manufacturers and carriers are in control of rolling the updates to their devices. Aside from security patches, this has caused rumblings for many users who spend months waiting for the newest version of Android to get to their devices, if they get it at all. Some manufacturers have tentatively committed to rolling out updates in a timely manner in the past, others are making new promises to their users now, and there is rumor that Google is even looking at restricting Android version releases now, but this does not help older devices.

If your older Android device has been cut off by its maker, and you are in the market for a new one, we might recommend you check out the Google Play Edition phones and Google’s own Nexus line of devices. Manufacturers have promised to keep the Google Play Edition phones up to date as quickly and for as long as possible. The Nexus line, including the Galaxy Nexus, Nexus 4 and most recently the Nexus 5, are updated straight from Google, so these are debatebly your best bet for continued support.

Do you feel like a visitor to misfit island as the proud owner of a forgotten device? Have you considered installing a custom ROM?

Comments

Load More