A serious security vulnerability has been discovered in the default web browser of the Android OS lower than 4.4 running on a large number of Android devices that allows an attacker to bypass the Same Origin Policy (SOP).
The Android Same Origin Policy (SOP) vulnerability (CVE-2014-6041) was first disclosed right at the beginning of September 2014 by an independent security researcher Rafay Baloch. He found that the AOSP (Android Open Source Platform) browser installed on Android 4.2.1 is vulnerable to Same Origin Policy (SOP) bypass bug that allows one website to steal data from another.
Security researchers at Trend micro in collaboration with Facebook have discovered many cases of Facebook users being targeted by cyber attacks that actively attempt to exploit this particular flaw in the web browser because the Metasploit exploit code is publicly available, which made the exploitation of the vulnerability much easier.
The Same Origin Policy is one of the guiding principles that seek to protect users' browsing experience. The SOP is actually designed to prevent pages from loading code that is not part of their own resource, ensuring that no third-party can inject code without the authorization of the owner of the website.
Unfortunately, the SOP has been the victim of Cross-Site scripting vulnerability in older versions of Android smartphones that helps attackers to serve the victims a malicious JavaScript file stored in a cloud storage account.
In this particular attack, a link will be served using a particular Facebook page that could lead Facebook users to a malicious website.
However, the "page contains obfuscated JavaScript code, which includes an attempt to load a Facebook URL in an inner frame. The user will only see a blank page as the page's HTML has been set not to display anything via its div tag, while the inner frame has a size of one pixel," Simon Huang, a mobile security engineer at Trend Micro, wrote in a blog post.
JavaScript code could allow an attacker to perform various tasks on the victim's Facebook account, on behalf of the legitimate account holder. According to the researcher, hackers can do almost anything with the hacked Facebook account using JavaScript code. Some of the activities are listed as follows:
- Adding Friends
- Like and Follow any Facebook page
- Modify Subscriptions
- Authorize Facebook apps to access the user's public profile, friends list, birthday information, likes.
- To steal the victim's access tokens and upload them to their server.
- Collect analytics data (such as victims' location, HTTP referrer, etc.) using the legitimate service.
Security researchers have observed that the cyber crooks behind this campaign rely on an official BlackBerry app maintained by BlackBerry in order to steal the access tokens and thus hacking Facebook accounts. Using the name of a trusted developer like BlackBerry, the attacker want the campaign to remain undetected. Trend Micro reported BlackBerry about their findings.
"The mobile malware using the Android SOP Exploit (Android Same Origin Policy Bypass Exploit) is designed to target Facebook users regardless of their mobile device platform," Blackberry told Trend Micro in a statement. "However, it attempts to take advantage of the trusted BlackBerry brand name by using our Facebook web app. BlackBerry is continuously working with Trend Micro and Facebook to detect and mitigate this attack. Note that the issue is not a result of an exploit to Blackberry's hardware, software, or network."
Trend Micro is working together with Facebook and BlackBerry in an attempt to detect the attack and prevent the attack from being carried out against new Android users.
All Android devices upto Android 4.4 KitKat are vulnerable to this SOP vulnerability. However, a patch was offered by Google back in September, but millions of Android smartphones users are still vulnerable to the attack because the manufacturer of the smartphone no longer pushes the update to its customers or the device itself does not support a newer edition of the operating system.
The SOP vulnerability resides in the browser of the Android devices, which can't be uninstalled because it's usually part of the operating system in-build feature. So, in order to protect yourself, just Disable the BROWSER from your Android devices by going to Settings > Apps > All and looking for its icon. By opening it, you'll find a DISABLE button, Select it and disable the Browser.