Corporate Android users face flaw affecting billions of devices

Corporate Android mobile phone users are warned that potentially billions of apps running on these devices could be hijacked by attackers using a vulnerability first highlighted over two years ago.

Android botnet detected that uses victims' devices to send SMS spam
Android botnet detected that uses victims' devices to send SMS spam

FireEye researchers have reported a continuing “widespread security issue” hitting Android users who download apps from stores like Google Play, that include standard content from advert libraries. 

Many libraries use HTTP, which has weak security, to link with the application, allowing attackers to potentially hijack the app by inserting their own JavaScript code into the HTTP traffic. FireEye has identified a “JavaScript Binding Over HTTP” problem in apps running on Android version 4.1 or earlier, and a related “JavaScript Sidedoor” vulnerability on apps running Android 4.2 and above.

The company estimates that these vulnerabilities are present in billions of apps worldwide. A recent blog post from the firm reveals that nearly half of the top 40 Android ad libraries contain the JS Binding Over HTTP flaw, for example, and that 42 percent of the most popular Google Play apps access one or more of these ad libraries.

With over 12.4 billion downloads of these popular apps, the blog adds: “Our analysis shows that these security issues are widespread, have affected popular apps on Google Play accounting for literally billions of app downloads.“

According to researchers at security consultancy MWR InfoSecurity, which raised the issue in September 2013, the vulnerability dates back years and was first exposed publicly in December 2012.

But Jason Steer, director of technology strategy for FireEye EMEA, told SCMagazineUK.com that the firm is now seeing actual exploitation of such weaknesses in the wild.

“The reason why we've blogged about it now is this is becoming more widely exploited – it's moved from being a theoretical security angle, to being used by attackers currently. We're seeing multiple Android apps having this abuse already in the third-party app stores where a lot of people go to.”

FireEye is advising ad library and Android apps developers to adopt better security features and practices. And Steer said they are responding when made aware that the problem is ‘real'.

“Apps developers take the off-the-shelf library and put them into their app without appreciating some of the security risks they may be exposing some of the users of these apps to, and perhaps even the business that these people work on behalf of as well," he said. "But when you see potentially thousands and thousands of people who inadvertently get exposed to it, then there's a responsibility to try and fix it.”

Rob Miller, security consultant with MWR InfoSecurity, told SCMagazineUK.com that corporate security professionals and end-users – as well as developers – need to take action.

“This issue does affect a large number of users. The actual implications will depend on how you use Android devices,” he said.

“So for developers, obviously they need to take this as a warning that they need to go away and check what third-party libraries they're using and what kind of functionality that those libraries might allow over a JavaScript Bridge connection.

“For users it's a matter of – think twice before downloading these applications and check ‘am I happy with the idea of keeping personal data on a device that has potentially these kinds of vulnerabilities?'.

“And finally for companies it's really a matter of making sure if you are implementing BYOD, that you've really locked down the policy; that it's not just a ‘yes you can bring in your own device and it's probably OK' - that you've actually gone through the security checks, that you've talked through the potential issues and that you then have the policies in place.”

FireEye said that with JavaScript Binding Over HTTP vulnerability, if an app running on Android 4.1 or below uses the JavaScript binding method ‘addJavascriptInterface' and loads library content in the WebView over HTTP, then an attacker over the network could hijack the HTTP traffic and thus take control of the host application.

With JavaScript Sidedoor on Android 4.2 onwards, an attacker could inject malicious content into the WebView, to misuse the exposed interfaces through the JS binding annotation.

FireEye said Android 4.1 or below is still running on more than 80 percent of Android devices worldwide.

FireEye has analysed the vulnerability specifically in relation to InMobi apps and says that it has informed both Google and InMobi of its findings. Both companies have been actively working to address the problems.

Sign up to our newsletters