Researcher Finds Google Android Data Stealing Vulnerability

A researcher revealed a way to exploit a vulnerability affecting Google Android users that can be used to steal data.

A security researcher has uncovered a way to exploit a data-leak issue affecting Google Android users.

Xuxian Jiang, an assistant professor at North Carolina State University, discovered the bug while working on what he described as an Android-related project. The flaw, he wrote in an advisory, impacts Android 2.3 and is of the same nature as a vulnerability uncovered last year by researcher Thomas Cannon on Android 2.2.

In an e-mail to eWEEK, Jiang explained that his exploit was not particularly difficult to implement, but requires some knowledge of JavaScript and Android. The issue is mainly in the Android browser, though there is a nonbrowser component in Android that is also related to the vulnerability, he wrote.

"We have a proof-of-concept exploit with a stock Nexus S phone and are able to successfully exploit the vulnerability to steal potentially personal information from the phone," he wrote in the advisory. "The attack works by requiring the user to visit a malicious link."

With the exploit in tow, an attacker could potentially obtain a list of applications on the user's device and upload the apps located in /system and /sdcard partitions to a remote server. An attacker could also read and upload any file "stored on the phone's /sdcard" as well, as long as they know the exact file name and directory path, Jiang explained in his advisory. Attackers cannot grab all the files on the system, as the attack is not a root exploit and still runs in the Android sandbox.

A spokesperson from Google said the company was contacted by Jiang about the flaw two days ago and has developed a fix that will be rolled out in an upcoming Android 2.3 maintenance update. No firm date was given for when the update will be pushed out to users.

Jiang offered a few mitigations, such as temporarily disabling JavaScript support in the Android browser or using a third-party browser instead.

"What I can say at this point is that the previous patch indeed fixes the previously reported exploit," Jiang told eWEEK. "However, there are other ways to exploit the same (or similar-depending on how you view the problem) flaw. As I pointed out earlier, the ultimate fix will require changing some essential components in the Android framework itself."