Researcher warns of Android browser vulnerability

A flaw exists in the Google-led Android mobile platform that could let users be tricked into visiting malware-laden websites and unwittingly have their keystrokes recorded, The New York Times has reported.

According to the Saturday article, a researcher and former US National Security Agency computer-security specialist, Charles Miller, told Google about the flaw last week. The article also quotes a Google security engineer, Rich Cannings, as saying the flaw's impact would be limited due to the compartmentalisation of the Android platform.

"We wanted to sandbox every single application because you can't trust any of them," Cannings told The New York Times.

A Google spokesperson told ZDNet UK on Monday that the company was "working on a browser software patch for Android" and "co-ordinating with T-Mobile on a plan to soon deliver this update over-the-air to customers' G1 handsets" — the HTC-made G1 being the first Android handset to be released to market.

Google's spokesperson also said the company did not believe the matter would "negatively impact" customers' experience with the G1, which will be launched by T-Mobile in the UK on Thursday.

Miller has reportedly not yet publicised the technical details of the problem, but has said the flaw in the browser used in Android means a visit to a malicious website could lead to software being secretly installed on the handset. Such software could record keystrokes made by the user, thereby discovering private information and passwords.

Android is a complete mobile stack — from operating system to applications — that is being developed by the Open Handset Alliance, an industry consortium headed up by Google.