Click and Get Owned on Android... Again

This week, we landed another Metasploit exploit for another Android WebView vulnerability; this time, it's a problem that occurs when replacing the "data" attribute of a given HTML object with a JavaScript URL scheme. Like the last Android security disaster we made a lot of noise about, this affects the stock Android Browser (aka, the one that ships with the Android Open Source Platform, or AOSP) prior to version 4.4, or any Android app that incorporates pre-4.4 WebView. This bug is very similar in its impact to September's vulnerability as well. In fact, it was discovered, reported, and disclosed by the same independent researcher, Rafay Baloch, via his blog, and incorporated into Metasploit by Joe Vennix.

According to Google's monthly survey, Android versions prior to 4.4 are running on about 69% of the world's Android phones as of November of 2014. If we believe that Android accounts for 85% of the world's smartphones, and further posit there are about 1.84 billion phones in use by the end of 2014, that comes to a figure of about a billion (with a b) devices out in the world that are vulnerable to this bug, absent a patch.

As it happens, Google did patch this vulnerability for Android days after notification, which is great. Today, it's quite possible that handset manufacturers, carriers, aftermarket ROM developers, and even in-the-know consumers can now take Google's upstream patch and apply it to their own devices. Heck, they could write their own Android patches without Google's help. It's open source, after all.

The Metasploit Framework is open source, too, but luckily, we don't have a lot of intermediaries between Rapid7 and the end users. If (well, when) Metasploit ships with a security bug, you can bet that Rapid7 will write, validate and publish a fix, and then do what we can to make sure that Metasploit users have every chance to get at those fixes and apply them.

This direct-line relationship Rapid7 has with the devices running Metasploit doesn't appear to exist between Google and that vast majority of Android devices. Even though Google published a backport for this bug on September 30, it seems unlikely that the end user of the Android device will ever see that fix without buying a new phone first. For many, many people, buying a new phone just isn't practical; the people who are most likely affected by "legacy" Android bugs are the same people who couldn't afford a fancy "latest" Android handset in the first place.

In other words, it looks like a billion phones aren't going to see this patch any time soon, if ever. It's nice that the patch exists, but Google doesn't seem to have any practical way of getting it out to the world.

For a platform that's so integral to the human experience of the Internet, this seems kind of a huge problem, and I don't know how to fix it at this point, given the way the Android ecosystem works. Any suggestions?

New Modules

In addition to the Android hotness, we've landed four other new modules this week.

Exploit modules

Auxiliary and post modules