April 23, 2014

WebKit Vulnerability Allows Attackers to Take Control of Android Devices

(LiveHacking.Com) – CrowdStrike, a new security technology company formed by key cyber security executives from McAfee, will demonstrate a new WebKit based attack against Google Android which results in the attacker gaining access to critical system processes and taking complete control of the victim’s device. The firm plans the demo as part of its debut at the RSA Conference 2012.

To launch the attack a hacker sends an email or text message that tricks the recipient (via social engineering) to click on a link, which in turn infects the device. At this point, the hacker gains complete control of the phone, enabling him to eavesdrop on phone calls and monitor the location of the device.

Since WebKit is also used in Google Chrome, Research in Motion’s BlackBerry, Apple’s Safari web browser and Apple’s iOS devices, this could open up exploits across multiple platforms.

“With modifications and perhaps use of different exploits, this attack will work on every smartphone device and represents the biggest security threat on those devices,” said Dmitri Alperovitch, chief technology officer and co-founder of CrowdStrike.

The CrowdStrike exploit only works on Android 2.2 (Froyo) but Alperovitch said he expects to have a second version of the hack soon that can attack phones running Android 2.3 (Gingerbread, which runs on about 59% of all Android devices).

The consequences of such a vulnerability are enormous as once the hole is patched in the WebKit project it can take months for the fix to trickle down to actual devices. Worse still many handset manufacturers never update the firmware on older phones meaning that some Android 2.2 users will be left with a vulnerable phone with no possibility of a fix other than resorting to custom ROM images.

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks