Around 900 million Android users are still using smartphones running Android 4.3 (Jellybean) and Older versions. That’s roughly 60 per cent of the total Android users worldwide and that’s a huge user base. Unfortunately, all these smartphones running older versions of Android are vulnerable and hackers can easily hack into these smartphones by installing malware or spyware remotely.
By taking advantage of the available vulnerabilities, an attacker or hacker can exploit any smartphone running Android version 4.3 or older and install malicious applications remotely that can monitor all the activities of the user, steal sensitive information OR can give full control of the smartphone to the hacker .
The worst part is, these vulnerable Android users may never get any security updates or patches for these vulnerabilities as Google has openly refused to concede its position by saying, It will not release any patch for the vulnerability found in older versions of android. However, if any 3rd party develops a patch, Google will incorporate those patches into the Android open source project code.
The two hot vulnerabilities that are making the rounds among Security researchers and Hackers are:
#1. Google Play Store X-Frame-Options (XFO) vulnerability
This Vulnerability is found in the Google Play Store website ( play.google.com ). The website lacks appropriate X-Frame-Options (XFO) headers. XFO headers are optional HTTP response headers which are designed to protect against clickjacking and other types of attacks by preventing the web page from being displayed by other websites in a frame. Google Play Store fails to enforce this XFO header on some error pages.
Since Google Play Store ( play.google.com ) fails to enforce XFO headers on some error pages, The hacker is able to embed any app page from play.google.com in another webpage lets say hacker9.com/myexploit.html which will give a certain fake error. When the user visits hacker9.com/myexploit.html, he will see nothing but the blank page. Now if he clicks any portion of the webpage, the clickjacking attack will be launched forcing the user to click install button present on the play.google.com app page.
Please note that the hacker is exploiting Google Play’s remote installation feature, which allows any Google user to install any app listed on play.google.com to his Android device by just clicking the install button. In short, if you’re logged into Google and have an Android phone linked to your account, the app will auto-install and auto-accept the permissions within seconds and you’ll never know it.
#2. Universal Cross-Site Scripting (UXSS) vulnerability
This vulnerability is found in the WebView component of the stock Android web browser. WebView , a core component used to render web pages on an Android device uses a number of APIs which can interact with the web contents which allows the user to view a web app as a part of an ordinary Android application. Users can be infected when they click on a URL link using a vulnerable application that allows opening a Java enabled browser or web page.
In UXSS attacks, client-side vulnerabilities are exploited in a web browser to generate an XSS condition, which allows the malicious code to be executed, bypassing or disabling the security protection mechanisms in the web browser.
According to Tod Beardsley from Rapid7, who is also a technical lead for the Metasploit Framework, Combining these two vulnerabilities creates a way for hackers to install any arbitrary app from the Play store onto victims device even without the user’s consent.
METASPLOIT Module for Hacking Android Smartphone
Rapid7 has created a Metasploit module that can be used to hack or test the affected Android devices for the two vulnerabilities. The module is publicly available on Github and according to the concerned researchers, This module combines the above two vulnerabilities to achieve remote code execution on the target Android device.
First, It will try to exploit a ‘Universal Cross-Site Scripting’ (UXSS) vulnerability present in a stock web browser (the AOSP Browser). After that, the Google Play store’s web interface can be targeted for ‘script injection’ as Play store’s web interface fails to enforce an X-Frame-Options : DENY header (XFO) on some error pages. This leads to remote code execution through Google Play’s remote installation feature, as any app available on the Google Play store can be installed and launched on the user’s device without his/her consent.
How not to get hacked?
If you happen to be using the affected Android version, here are some mitigations for you:
- Update your Android smartphone to the latest version. If the vender doesn’t have the latest version or discontinued the firmware support, consider installing Custom ROMS or Cyanogenmod .
- Use ‘Google Chrome’ or ‘Mozilla Firefox’ web browser. This could help mitigate the lack of universal X-Frame-Options (XFO) for the play.google.com domain.
- Another way is to simply stay logged out of the Google Play store account in order to avoid vulnerability.
Sources: hacker9, Rapid7, Tripwire