The Android platform for smart phones has proved to be a money spinner for its handset manufacturers with sales going up exponentially. However, some or the other vulnerability keeps cropping up from time to time, dampening the success to an extent. The latest one is the futex liability that affects all Linux kernels used by Android. This was recently used to successfully root a device like Galaxy S5 for the very first time.

Earlier threat still looms large

However, what is even more surprising is the exposure of the threat that was discovered a couple of years back still remaining potent. Yes, as per the security company Bromium; the Android API referred to as the addJavascriptInterface enables applications to get their native codes exposed to Web codes that are running within the WebView.

Since there are many applications as well as advertising frameworks use the WebView to show content that are loaded from the various remote servers, applications affected by the API threat do not allow such content to be viewed over encrypted HTTPS or HTTP Secure connections. This absence of an efficient data transport encryption methodology enables attackers to easily intercept connections that arise from an app. They are then able to inject malicious JavaScript coding into the generated traffic. The phenomenon is called ‘man-in-the-middle’ abduction and there exists many methods through which this can be achieved, mainly on networks that run on wireless protocol.

How does the vulnerability help attackers?

If on the other hand, a particular app does not or not able to encrypt traffic and uses the WebView along with addJavascriptInterface, the attacker would be able to easily inject a malicious JavaScript code in order to gain full accessibility to its functionality. He can then abuse the system the way he wants by changing permissions. Researchers have now demonstrated that attackers can even open up a reverse TCP shell to fully take advantage of this loophole. This reverse TCP shell thus opened up will provide control to the attacker to then start executing the commands on the dependent gadget.

That is not all. The attacker can even merge this kind of an execution attack with one of the many privilege escalation threats or liabilities that have been affecting the different Android versions. They can then run root commands so that they can get total control over such gadgets.

Google implements the fix

Google had responded by implementing a fix for this addJavascriptInterface threat through its Android 4.2 release, back in 2012. But there are still many apps and gadget that continues to remain susceptible to such attacks and that is a concern for Android users.

The issue stems from the fact that in order to ensure compatibility with a wider spectrum of gadgets, ad frameworks and other apps are being developed against pretty low API versions. The consequence is also that such an app becomes vulnerable even as it is running on fully patched devices of Android versions 4.2, 4.4 and 4.3.

The overall stats do not look perturbing at 13% of apps being possibly susceptible to attacks. But since apps are all not created equal with some very popular than others, the more in demand ones can affect a large user base and that is something Google must fix at the earliest.