AH Virus Malware Piracy Skull Death Samsung logo 1.2

Android Privacy Vulnerability Affects All Devices Not Running Android 4.4

September 17, 2014 - Written By Nick Terry

Towards the beginning of this month, a security researcher by the name of Rafay Baloch made the world aware of a new bug he had found nn Android. Unfortunately, this is no little bug.

When we say that this new security flaw discovered in Android is no little bug, we mean it. The bug apparently has the potential to affect any Android device that is not running the latest version of Android, this would be Android 4.4 KitKat. When you do a little research you will find that about 70 percent of Android devices currently in use are running a version of Android that is lower than 4.4 KitKat. As you can guess, this is not good by any means.

So what is it exactly that this privacy vulnerability causes on Android? Long story short, it allows a hacker to bypass the Same Origin Policy protection that is used by almost all modern browsers. This protection is designed to stop malicious and foreign code from jumping from one website to another located on another tab. Without this security a hacker could potentially exploit a flaw which would run JavaScript code on a website that would navigate to a URL handler with a null byte. From this point the hacker could then inject any and all the JavaScript that they wanted across other websites.

Translated to English, the vulnerability would allow a hacker to read passwords, hijack a user’s session, and scrape web pages. When Rafay Baloch first told Google about this flaw back in August they told him that they were unable to reproduce the exploit on their end. But as soon as Rafay told the world about the flaw in a blog post Google suddenly changed their tune and essentially got back to him with, “nevermind, we can fix this”. Needless to say, at this point Google has released patches for AOSP that patch the exploit right up.

If Rafay was telling the truth about the way Google treated him through the process of trying to get this exploit recognized and patched, its disappointing to say the least. Not to mention the fact that Rafay has not and will not be receiving recognition for initially discovering the exploit. But regardless of this, we are glad to see the exploit get patched by Google.