A Serious vulnerability has been discovered in the Web browser installed by default on a large number (Approximately 70%) of Android devices, that could allow an attacker to hijack users' open websites, and there is now a Metasploit module available to easily exploit this dangerous flaw.
The exploit targets vulnerability (CVE-2014-6041) in Android versions 4.2.1 and all older versions and was first disclosed right at the start of September by an independent security researcher Rafay Baloch, but there has not been much public discussion on it.
The Android bug has been called a "privacy disaster" by Tod Beardsley, a developer for the Metasploit security toolkit, and in order to explain you why, he has promised to post a video that is "sufficiently shocking."
"By malforming a javascript: URL handler with a prepended null byte, the AOSP, or Android Open Source Platform (AOSP) Browser) fails to enforce the Same-Origin Policy (SOP) browser security control," Tod Beardsley of Rapid7 said in a blog post.
"What this means is any arbitrary website - say, one controlled by a spammer or a spy - can peek into the contents of any other web page," Beardsley said. "[If] you went to an attackers site while you had your webmail open in another window, the attacker could scrape your email data and see what your browser sees."
"Worse, he could snag a copy of your session cookie and hijack your session completely, and read and write webmail on your behalf."
Baloch also found the AOSP browser installed on Android 4.2.1 is vulnerable to Same Origin Policy (SOP) bypass that allows one website to steal data from another. He then tested his findings on numerous devices, including Qmobile Noir, Sony Xperia, Samsung Galaxy S3, HTC Wildfire and Motorola Razr and found that it works on all.
But, anyone running the latest release, Android 4.4, is not affected, which means that as many as 75 per cent of Android devices and millions of Android users are vulnerable to the attack, according to Google's own statistics.
Baloch explained that an SOP bypass occurs when one website makes it way to access the properties, such as cookies, location, response etc, of the other site. "Due to the nature of the issue and potential impact, browsers have very strict model pertaining it and a SOP bypass is rarely found in modern browsers. However, they are found once in a while," Baloch said in a blog post.
As a responsible security researcher, Baloch reported the issue to the Google and they responded positively by assuring him that they are working on a "suitable fix." But when it came to reward this bug hunter, they replied "We are unable to reproduce this issue though. Its possible that your OEM has modified the browser in a manner that has created this issue," said Josh Armour of Android Security team.
"Android does not currently have a Vulnerability Rewards Program. As far as publicly crediting for the vulnerability we have started to maintain a list of acknowledgements here. Given that this was published before we had a chance to provide patches, this specific report would not qualify."
The problem is that all the versions except Android 4.4 are affected by this issue and a large number of users still are on the older versions. Worst is the creation of a module for the Metasploit penetration testing platform, which would make the exploitation of the vulnerability much easier.
It all resides in the BROWSER of the Android devices, which can't be uninstalled because it's usually part of the operating system in-build feature. So, in order to protect yourself, just Disable the BROWSER from your Android devices by going to Settings > Apps > All and looking for its icon. By opening it, you'll find a DISABLE button, Select it and disable the Browser.