back to article THREE QUARTERS of Android mobes open to web page spy bug

A Metasploit module has been developed to easily exploit a dangerous flaw in 75 percent of Android devices that allows attackers to hijack a users' open websites. The exploit targets vulnerability (CVE-2014-6041) in Android versions 4.2.1 and below and was disclosed without fanfare on 1 September, but had since gathered dust, …

  1. Anonymous Coward
    Anonymous Coward

    This kind of headline leaves me with a smug smile on my face.......

    1. Anonymous Coward
      Anonymous Coward

      Do you understand the bug?

  2. Dan 55 Silver badge
    Boffin

    Android versions 4.4 and below = 100% of Android devices

    Or have my maths failed me yet again?

    The workaround would be to use Firefox mobile by the way, which unlike others is not just a rethemed Android browser.

    1. sabroni Silver badge

      Re: Android versions 4.4 and below = 100% of Android devices

      I'm on 4.4.4, that's not 4.4 or under. It's a Moto G so not an unpopular handset.

      1. dotdavid

        Re: Android versions 4.4 and below = 100% of Android devices

        Hardly anyone will have a 4.4 handset in that case; if memory serves, 4.4.1 came out almost immediately after 4.4. was pushed to AOSP.

    2. Aitor 1

      Re: Android versions 4.4 and below = 100% of Android devices

      And I am un 4.4.2.

  3. ACcc

    Android browser only?

    Does it affect Firefox?

    1. phuzz Silver badge

      Re: Android browser only?

      Nope, and not Chrome either.

  4. TonyHoyle

    1. AOSP has not been killed off, and I've never heard anyone suggest that it would be. They're talking about the AOSP *browser* which has been replaced by Chrome.

    2. 4.2.1 is not 75% of phones. The entire 4.2.x series is only 20%, and 4.2.2 would be the majority of that - and 4.2.2 was released 18 months ago. Note the CVE relates specifically to 4.2.1. You can't even get close to 75% by adding all the previous versions together (which would be bogus anyway unless you could prove it existed right back to froyo/gingerbread).

    So bug exists in a small % of old phones. Other than saying 'time to upgrade' what are people expected to do?

    1. Mike Bell

      Other than saying 'time to upgrade' what are people expected to do?

      Yes, it's a problem. Especially for people with phones that aren't capable of being upgraded. Or those with manufacturers who roll out updates very slowly.

      1. This post has been deleted by its author

        1. Pen-y-gors

          Why the Telcos?

          I bought my phone from Amazon, SIM-free. Nothing to do with a Telco - I think you mean the manufacturer.

          1. Lamont Cranston

            Re: Why the Telcos?

            Telcos and manufacturers should be required to cooperate, to ensure that users always have access to the most up-to-date OS (that their hardware can support). Still pie in the sky, but at least all the bases are covered!

  5. dotdavid

    "Metasploit module gobbles KitKat SOP slop"

    Er, actually the bug affects Jelly Bean 4.2.1. Surely this should be "Metasploit module gobbles Jelly Bean SOP slop"?

    1. Anonymous Coward
      Anonymous Coward

      Re: "Metasploit module gobbles KitKat SOP slop"

      This is the register... Why let facts get in the way of a crap tagline

  6. Haku

    I can't actually remember the last time I purposely used the Android Browser

    Mainly because I prefer FireFox as there's AdBlock for it as well as being able to change the User Agent to view desktop versions of websites.

    But there are one or two websites I've visited that will only ever display the mobile version, which I detest, despite changing the user agent in FF and selecting the "Request desktop version" option there appears to be no way so make FF only ever display desktop versions of websites.

    1. Test Man

      Re: I can't actually remember the last time I purposely used the Android Browser

      Because they aren't user-agent sniffing, that's why. They're fully responsive-designed sites.

      1. Anonymous Coward
        Anonymous Coward

        Re: I can't actually remember the last time I purposely used the Android Browser

        "They're fully responsive-designed sites."

        Well they can count me as an ex-reader then.

    2. BristolBachelor Gold badge

      Re: I can't actually remember the last time I purposely used the Android Browser

      With the stock Android browser, you can get into an extra settings page and set any user-agent that you want, including NCA Mosaic. Sorry, from here can't remember how, but istr you enter a specific non-URL string and then select something weird in settings or somesuch.

      I actually run Firefox because I also run it on one of my boxes too, so have access to open tabs, and bookmarks. However it doesn't do a good job with the "request desktop site" imho.

  7. Anonymous Coward
    Anonymous Coward

    Not possible

    It's not possible.

    Android is Linux/is based on Linux. Linux is secure by design and is not affected by malware

    ;-)

    1. Anonymous Coward
      Anonymous Coward

      Re: Not possible

      "Linux is secure by design and is not affected by malware"

      But if people put readily compromised applications on top, whose fault is that?

    2. Charlie Clark Silver badge
      Trollface

      Re: Not possible

      NFT

    3. Anonymous Coward
      Anonymous Coward

      Re: Not possible

      It's open source, millions of pairs of eyes look over every line of code for bugs :)

  8. Charlie Clark Silver badge
    FAIL

    Terrible article

    To borrow a neologism from Portlandia: Mr Pauli seems to be a "linkalist" and a bad one at that. Even based on the page he linked to 4.2.x has a distribution of 20 %. The article claims the exploit targets 4.2.1 but I suspect it might also work on earlier versions, too. Whatever, a journalist might research this, a linkalist just adds something racy to the headline. Obviously confusing JellyBean with KitKat doesn't matter.

    It's a pity because adding value would be easy: alternative stats could be obtained from The Register's own statistics which would add credence to or detract from the numbers quoted; and a demonstration page could be set up for users to test, or linked to assuming someone else has already done this.

    @El Reg can we start blacklisting some of the more futtocky linkalists you have? It's nice to be able to avoid the crap if possible.

    1. wdmot

      Re: Terrible article

      Charlie, and TonyHoyle, I think the 75% figure comes from a few things: the sentence on Rafay site under "Affected Versions" says "The initial tests were carried out on android browser 4.2.1 (Qmobile) and below"; the "update" on the same site that says "Other folks have verified this issue to work under Android browser < 4.4" (presumably meaning 4.3 and earlier); and the androidcentral stat that 24.5% of Android phones are running 4.4.x (or adding up all the prior versions -> 75.5%). I think the key bit of info that is still unclear is whether the bug existed prior to 4.2.1, as Rafay isn't clear about what "and below" means (did he test at least version 2.2?).

      If there's an easy way to test, I could do so with my version 2.1 which Sprint will never update...

  9. heyrick Silver badge

    Remind me again why Android's crappy update system is good?

    You'd have thought it would have been possible to patch the browser (an obviously potential vector) without a complete OS update...

    1. Anonymous Coward
      Stop

      Re: Remind me again why Android's crappy update system is good?

      Not sure why you have the down votes. The whole bitching about Windows was the i.e. integration. If the exploit is via a browser, why can't it be patched?

      1. dotdavid

        Re: Remind me again why Android's crappy update system is good?

        Google are moving away from the AOSP Browser towards bundling Chrome Mobile on their Nexus handsets, which of course is updateable via Google Play. The other alternative would be to release an update package to the AOSP Browser in the Play Store like they do for the News and Weather app.

        Of course they're not doing the latter and the former isn't much help to those with this security problem.

    2. Argh

      Re: Remind me again why Android's crappy update system is good?

      The majority of phones I've seen ship Chrome, which will auto-update happily.

      Some phones (particularly older ones) ship an AOSP based browser, usually also customised by the phone manufacturer, which has this issue.

      Android does allow such applications to be updated in the Play store, and some manufacturers have started to do this, e.g. manufacturers putting cameras, etc. in the Play store so they can be updated easily. Unfortunately, this has only started to happen fairly recently and I haven't yet seen a manufacturer customised browser updated via the store.

      So -- it's not an Android issue, it's a manufacturer issue that reflects badly on Android.

    3. Anonymous Coward
      Anonymous Coward

      Re: Remind me again why Android's crappy update system is good?

      The thing about these Play updates is the original app is still in the rom and taking up space. In many cases doubling the size of the app.

  10. BleedinObvious

    TWO-THIRDS not THREE-QUARTERS

    If you exclude 4.4 it's three-quarters, but if you correctly exclude both 4.3 & 4.4, it's two-thirds.

    Mind you, I'd be interested in whether Google plans to release a browser fix for 2.3 upwards (98.7%) via it's Google Play Services versions-are-irrelevant system updater launched late last year.

    http://www.trustedreviews.com/opinions/why-google-play-services-is-more-important-than-the-nexus-5

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like