Today AVG Security expert reported a critical vulnerability in Android's WebView feature that allows an attacker to install malicious software, send SMSs and performing more tasks.
WebView uses a number of APIs which can interact with the web contents inside WebView. So this allows the user to view a web application as a part of an ordinary Android application.
Users can be infected when they click on a URL link using a vulnerable application that allows opening a Java enabled browser or web page. The commands in the JavaScript code can enable attackers to install malicious software, send SMSs, steal personal information and more.
To exploit the flaw, attacker can trick users to click a malicious link from a vulnerable WebView application and which will trigger a malicious JavaScript command contained on the same webpage.
All the applications running on Android 4.1 or older could perform malicious tasks and users are advised to upgrade to Android 4.2 or higher and download applications only from Google Play.
