Attackers Can Slip Malicious Code Into Many Android Apps via Open Wi-Fi
The weakness resides in a widely used programming interface known as WebView, which allows developers to embed Web-based content into apps used for banking, entertainment, and other purposes. Many apps available on the official Google Play market don’t properly secure the connection between the WebView component on a phone and the Web content being downloaded, researchers from UK-based MWR Labs recently warned. That makes it possible for attackers who are on the same open Wi-Fi network as a vulnerable user to hijack the connection and inject malicious code that can be executed by the phone.
“The lowest impact attack would be downloading contents of the SD card and the exploited application’s data directory,” the researchers wrote in an advisory published earlier this week. “However, depending on the device that was exploited this could extend to obtaining root privileges, retrieving other sensitive user data from the device or causing the user monetary loss.”
Researchers from several other security firms said they are also aware of the weakness, which can affect apps that run on Android versions 4.1 and earlier and don’t make proper use of the secure sockets layer (SSL) encryption protocol. Elad Shapira, a researcher with antivirus provider AVG recently demonstrated how an app that has already been given permission to access SMS capabilities (a common setting with many legitimate apps) could be hijacked by malicious JavaScript code that sends expensive text messages to premium services.
More: Attackers Can Slip Malicious Code Into Many Android Apps via Open Wi-Fi