Around
950 Million Android users are still using Smartphones running Android 4.3
(Jellybean) and older versions. That’s roughly 60 percent of the total Android
users Worldwide and that’s a huge user base. Unfortunately all these
smartphones running older versions of Android are vulnerable and Hackers can
easily hack into these smartphones by installing Malwares
or Spywares remotely.
By taking
advantage of the available vulnerabilities, An Attacker or Hacker can exploit
any Android Smartphone running Android version 4.3 or older and install
malicious applications remotely that can monitor all the activities of the
user, Steal sensitive information OR can give full control of the smartphone to
the Hacker.
The worst
part is, these vulnerable Android users may never get any security updates or
patches for these vulnerabilities as Google has openly refused to concede its
position by saying, It will not release any patch for the vulnerability found
in Older versions of android. However, if any 3rd party develops a patch,
Google will incorporate those patches into the Android Open Source Project
code.
The two
Hot vulnerabilities that are making the rounds among Security researchers and
Hackers are:
#1. Google Play Store X-Frame-Options (XFO) vulnerability
This
Vulnerability is found in the Google Play Store website (play.google.com). The
Website lacks appropriate X-Frame-Options (XFO) headers. XFO headers are
optional HTTP response headers which are designed to protect against
Clickjacking and other types of attacks by preventing the web page from being
displayed by other websites in a frame. Google Play Store fails to enforce this
XFO header on some error pages.
Since
Google Play Store (play.google.com) fails to enforce XFO headers on some error
a page, The Hackers are able to embed any app page fromplay.google.com in
another webpage let’s say
thehackerzworld.com/myexploit.html which will give certain fake error.
When the user visits thehackerzworld.com/myexploit.html, he will see nothing
but the blank page. Now if he clicks any portion of the webpage, the
Clickjacking attack will be launched forcing the user to click install button
present on theplay.google.com app page.
Please
note that the hacker is exploiting Google Play’s remote installation feature,
which allows any Google user to install any app listed on play.google.com to his
Android device by just clicking install button. In short, if you’re logged into
Google and have an Android phone linked to your account, the app will
auto-install and auto-accept the permissions within seconds and you’ll never
know it.
#2. Universal Cross-Site Scripting (UXSS) vulnerability
This
vulnerability is found in the WebView component of the Stock Android Web
Browser. WebView, a core component used to render web pages on an Android
device uses a number of APIs which can interact with the web contents which
allows the user to view a web app as a part of an ordinary Android application.
Users can be infected when they click on a URL link using a vulnerable
application that allows opening a Java enabled browser or web page.
In UXSS
attacks, client-side vulnerabilities are exploited in a web browser to generate
an XSS condition, which allows the malicious code to be executed, bypassing or
disabling the security protection mechanisms in the web browser.
According
to Tod Beardsley from Rapid7, who is also a technical lead for the Metasploit
Framework, Combining these two vulnerabilities creates a way for hackers to
install any arbitrary app from the Play store onto victims device even without
the users consent.
METASPLOIT Module for Hacking Android Smartphone
Rapid7
has created a Metasploit module that can be used to hack or test the affected
Android devices for the two vulnerabilities. The Module is publicly available
on Github and according to the concerned researchers, This module combines the
above two vulnerabilities to achieve remote code execution on the target
Android device.
First, It
will try to exploit a ‘Universal Cross-Site Scripting’ (UXSS) vulnerability
present in stock Web browser (the AOSP Browser). After that, Google Play
store’s web interface can be targeted for ‘script injection’ as Play store’s
web interface fails to enforce a X-Frame-Options: DENY header (XFO) on some
error pages. This leads to remote code execution through Google Play’s remote
installation feature, as any app available on the Google Play store can be
installed and launched on the user’s device without his/her consent.
How not to get hacked?
If you
happen to be using the affected Android version, here are some mitigations for
you:
Update
your Android Smarphone to the latest version. If the vender does not have
latest version or discontinued the firmware support, consider installing Custom
ROMS or Cyanogenmod.
Use
‘Google Chrome’ or ‘Mozilla Firefox’ Web browser. This could help mitigate the
lack of universal X-Frame-Options (XFO) for theplay.google.com domain.
Another
way is to simply stay logged out of the Google Play store account in order to
avoid the vulnerability
No comments:
Post a Comment