Android exploit so dangerous, users warned to avoid phone's web browser

At the Schmoocon hacker conference in Washington D.C.
Written by Andrew Nusca, Contributor

At the Schmoocon hacker conference in Washington D.C. this weekend, security researcher Charlie Miller noted a new vulnerability in Google Android that allows hackers to remotely take control of the phone's web browser and related processes, ReadWriteWeb reports.

If a phone becomes compromised, hackers can gain access to saved credentials stored in the browser and browser history and could snoop on your web transactions, even if encrypted.

The current vulnerability is reportedly contained in code written by software company PacketVideo, which contributed an open version of their Core multimedia application framework to Android, where it became the multimedia subsystem for the Android web browser.

Miller said he notified Google of the flaw Jan. 21. Forbes' Andy Greenberg also reported on the issue, quoting a Google spokesperson saying that a fix will be issued "as soon as it becomes available."

However, a fix has been available since February 7th: the patch sits here in Google's source code repository, and not on users' Android phones, including the T-Mobile G1.

Miller recommends that Android owners "avoid using the browser until a patch is released" and otherwise only visit trusted sites over the T-Mobile network only.

To get a second opinion, ReadWriteWeb checked in with James Blaisdell, CTO of Mocana, a company who provides embedded security solutions for a litany of devices, including Android.

Says Blaisdell, this current vulnerability is "very serious" and the breach "could have catastrophic consequences for users." He also agrees with Miller's assessment that the best thing for Android users to do to protect themselves is to not use the Android web browser until Google issues a security patch.

Android is, in some ways, is a more secure OS than others, thanks to its "sandbox" architecture, helping stop malicious code injected into the browser from accessing and taking over other parts of the mobile OS or applications.

On the other hand, problems with Android that have been found have been serious or critical, such as applications being signed with "self-signed" certificates. Android's permission-based security model also puts the user in the spot of deciding which apps are safe and which or not.

This vulnerability was not patched with the recent RC33 update.

UPDATE 4:46 PM EST: Statement from Google Android security engineer Rich Cannings via Jay Nancarrow of Google's communications team:

Charlie Miller, a security researcher at Independent Security Evaluators, contacted security@android.com on January 21st regarding a bug in PacketVideo's OpenCore media library that he intended to disclose on Feburary 7.

Media libraries are extremely complex and can lead to bugs, so we designed our mediaserver, which uses OpenCore, to work within its own application sandbox so that security issues in the mediaserver would not affect other applications on the phone such as email, the browser, SMS, and the dialer. If the bug Charlie reported to us on January 21st is exploited, it would be limited to the mediaserver and could only exploit actions the mediaserver performs, such as listen to and alter some audio and visual media.

We thank our partners PacketVideo, oCERT, and T-Mobile for their engagement and attention to this issue.

If you're interested in the background of the story, here is more information:

The Android Security Team responded by contacting PacketVideo, T-Mobile, and oCERT, a public Computer Emergency Response Team. PacketVideo developed a fix on February 5th, and they patched Open Source Android two days later. oCERT assisted PacketVideo with coordinating the fix, and they published an advisory detailing this issue. We offered the patch to T-Mobile when it became available, and G1 users will be updated at T-Mobile's discretion.

For more details, see this advisory published by oCERT. (Image: Flickr/samuraispy)

Editorial standards