Researcher Finds Google Android Data Stealing Vulnerability
Cybersecurity
SHARE
Facebook X Pinterest WhatsApp

Researcher Finds Google Android Data Stealing Vulnerability

Written By
Brian Prince
Brian Prince
Jan 28, 2011
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

A security researcher has uncovered a way to exploit a data-leak issue affecting Google Android users.

Xuxian Jiang, an assistant professor at North Carolina State University, discovered the bug while working on what he described as an Android-related project. The flaw, he wrote in an advisory, impacts Android 2.3 and is of the same nature as a vulnerability uncovered last year by researcher Thomas Cannon on Android 2.2.

In an e-mail to eWEEK, Jiang explained that his exploit was not particularly difficult to implement, but requires some knowledge of JavaScript and Android. The issue is mainly in the Android browser, though there is a nonbrowser component in Android that is also related to the vulnerability, he wrote.

“We have a proof-of-concept exploit with a stock Nexus S phone and are able to successfully exploit the vulnerability to steal potentially personal information from the phone,” he wrote in the advisory. “The attack works by requiring the user to visit a malicious link.”

With the exploit in tow, an attacker could potentially obtain a list of applications on the user’s device and upload the apps located in /system and /sdcard partitions to a remote server. An attacker could also read and upload any file “stored on the phone’s /sdcard” as well, as long as they know the exact file name and directory path, Jiang explained in his advisory. Attackers cannot grab all the files on the system, as the attack is not a root exploit and still runs in the Android sandbox.

A spokesperson from Google said the company was contacted by Jiang about the flaw two days ago and has developed a fix that will be rolled out in an upcoming Android 2.3 maintenance update. No firm date was given for when the update will be pushed out to users.

Jiang offered a few mitigations, such as temporarily disabling JavaScript support in the Android browser or using a third-party browser instead.

“What I can say at this point is that the previous patch indeed fixes the previously reported exploit,” Jiang told eWEEK. “However, there are other ways to exploit the same (or similar-depending on how you view the problem) flaw. As I pointed out earlier, the ultimate fix will require changing some essential components in the Android framework itself.”
Brian Prince
eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

facebook
linkedin
youtube
rss
x

Company

About us Contact us Advertise with us

Categories

Latest News Resources Artificial Intelligence Video Big Data & Analytics Cloud Networking

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information