A researcher revealed a way to exploit a vulnerability affecting Google Android users that can be used to steal data.
A security researcher has uncovered a way to exploit a data-leak issue
affecting Google Android users.
Xuxian Jiang, an assistant professor at North
Carolina State University,
discovered the bug while working on what he described as an Android-related project.
The flaw, he wrote
in an advisory
, impacts Android 2.3 and is of the same nature as a
vulnerability uncovered last year by researcher Thomas Cannon on Android 2.2.
In an e-mail to eWEEK, Jiang explained that his exploit was not
and Android. The issue is mainly in the Android browser, though there is a nonbrowser
component in Android that is also related to the vulnerability, he wrote.
"We have a proof-of-concept exploit with a stock
Nexus S phone
and are able to successfully exploit the vulnerability to
steal potentially personal information from the phone," he wrote in the
advisory. "The attack works by requiring the user to visit a malicious
With the exploit in tow, an attacker could potentially obtain a list of
applications on the user's device and upload the apps located in /system and
/sdcard partitions to a remote server. An attacker could also read and
upload any file "stored on the phone's /sdcard" as well, as long as
they know the exact file name and directory path, Jiang explained in his
advisory. Attackers cannot grab all the files on the system, as the attack
is not a root exploit and still runs in the Android sandbox.
A spokesperson from Google said the company was contacted by Jiang about the
flaw two days ago and has developed a fix that will be rolled out in an
upcoming Android 2.3 maintenance update
. No firm date was given for when
the update will be pushed out to users.
Jiang offered a few mitigations, such as temporarily
"What I can say at this point is that the previous patch indeed fixes
the previously reported exploit," Jiang told eWEEK. "However, there
are other ways to exploit the same (or similar-depending on how you view the
problem) flaw. As I pointed out earlier, the ultimate fix will require changing
some essential components in the Android framework itself."