An exploit for a vulnerability in Android versions prior to 4.2 (Ice Cream Sandwich) that affects around 70% of all Android devices has now been published with the Metasploit penetration testing framework. Metasploit is a tool used by security specialists when testing the security of software and operating systems. It’s also free, which means that every miscreant is now able to setup traps to take ownership of your phone – and it’s very simple!
Here’s a demonstration using Metasploit where merely scanning a QR code leads to a hacked phone:
The vulnerability has existed for over 14 months, but phone vendors have done precious little about it.
The “single-click” Metasploit exploit allows a hacker to create a webpage that your phone only has to load once in order to infect it. The phone will then open a network connection to the hackers computer notifying him that the phone has been compromised. The hacker can then log into your phone’s operating system to interact with just about all of the information on it, without you knowing – including microphone, camera etc.
This is all scarey enough for adults, but the ramifications of this Android exploit for compromised phones belonging to children is sobering.
Even more of a concern is that the WebView technology which is the component software that is vulnerable is used by a great many apps in Google’s Play Store to display adverts etc., particularly free aps that rely on advertising – again, which are frequently downloaded by children. Should an attacker gain access to one of the advertisers web servers, or be able to perform a man-in-the-middle attack while you are using an app, then the possibilities are worrying.
What should you do?
If your phone is still not on 4.2 or higher, then upgrade the operating system as soon as possible! If you are worried about using up your credit on data, then find yourself a WiFi network to connect to and do it that way.
Android version 2.x – it is unpublished at this time if this version of Android is affected.
If your phone doesn’t support 4.2 or later or if you really have to carry on using an older version of Android, then it is probably best to avoid apps that deliver advertising content, and to install and use a browser that does not use the WebView framework such as Firefox or Opera and use that for browsing the internet instead.
p.s. our own QR Code that introduced this article is quite safe!