Data Stealing Vulnerability Found in Android 2.3

A researcher at NC State University has come across a new data stealing vulnerability in Android 2.3 (Gingerbread), while working on Android-related research. This is a similar vulerability to the one reported by Thomas Cannon during last November on Android 2.2 (Froyo). This particular security hole was reportedly fixed in Android 2.3.

Unfortunately, it appears from this latest report that the patch contained in Android 2.3 does not provide the expected solution, and it can still be bypassed by hackers. The NC State research has developed a proof-of-concept exploit with a stock Nexus S PDAPhone / Smartphone, and is able to successfully exploit the vulnerability to steal personal information from the device. In order to carry out the exploit, a user simply needs to visit a malicious link. Using the proof-of-concept exploit, the researcher was able to:

• Obtain a list of the applications currently installed in the device.
• Upload the applications (located in /system and /sdcard partitions) to a remote server.
• Read and upload the contents of any file (including photos, saved voicemails...) stored on the phone's /sdcard.

Upon finding this exploit, the NC State researcher notified the Google Android Security Team on 01/26/2011 and provided them with a critical piece of exploit code so that they can better understand the nature of the vulnerability. Google has started an official investigation and has now confirmed that the vulnerability is real, and that a fix will be forthcoming with the next major release of Android (at the latest). That doesn't seem to be like very prompt action on something that puts many Android users at risk. Perhaps that is because this attack is not a root exploit, meaning it still runs within the Android sandbox and cannot grab all files on the system (only those on the /sdcard and a limited number of others). But still, any exploit to me is something that should be dealt with promptly once it is known. The NC State researcher has reported that he will not publish the details of the vulnerability until a fix is out, but I would think that knowing of its existence would entice hackers to try and find the hole.

Before the ultimate fix is out, there are several ways to help mitigate the threat, including:

• Temporarily disable Javascript support in the Android browser.
• Or, switch to a third-party browser for the time being such as Firefox.
• Unmount the /sdcard.
• Be cautious when viewing unfamiliar websites.

Some of this may greatly affect the usability of the device, so hopefully Google will promptly provide a permanent patch to Android 2.3.