Researchers expose Android WebKit browser exploit

Security experts have said handsets running version 2.0 or 2.1 of the Android OS could be remotely compromised by attackers employing code manipulation

A security researcher has discovered a weakness in the WebKit browser in the Android operating system that could potentially lead to remote code execution or software crashes.

The back-door vulnerability could allow attackers to quietly install Trojans or other malicious software that could allow full access to the handset, security engineer M J Keith of Alert Logic warned on Friday. Users simply need to load a web page with specially crafted HTML, he said.

The hole was made public by the security researcher on Friday and has been tested on Motorola Droid devices running versions 2.0.1 and 2.1 of the Android OS. It was also tested on an emulator for versions 2.0-2.1, which were also found to be susceptible.

This weakness is not specific to Android, as the WebKit vulnerability was already known to be present in Apple's Safari and Ubuntu Linux. However, Google has issued a fix in the latest version of the Android operating system, Froyo 2.2.

"We're aware of an issue in WebKit that could potentially impact only old versions of the Android browser. The issue does not affect Android 2.2 or later versions," a Google spokesperson told ZDNet UK on Monday.

According to Google's figures only 36.2 percent of Android handsets have so far made the upgrade to Froyo. Many security issues are not disclosed in public until the companies involved have been given an opportunity to patch the vulnerabilities.

Other mobile operating systems also use the WebKit system, including BlackBerry, Palm (now HP) WebOS, and Apple iOS. Many browsers are also being built on the same platform, including Chrome, Firefox Mobile and Skyfire.

On Tuesday, Coverity, a company that uses tools to check the integrity of software for potential weaknesses, announced that it had found 359 defects in the Android code, of which 88 are classified as high risk.

"Common defects found in open-source code continue to be flaws such as memory corruptions, NULL pointer dereferences, and resource leaks, which can cause system crashes and security vulnerabilities in products," reads the report.

In August, MWR InfoSecurity said it had discovered a flaw in the Android OS that allowed the transmission of confidential information, such as banking details or passwords, if a user visits a malicious web page using the standard WebKit-based browser.

The same researchers also found that a specially crafted vCard transferred to a Palm Pre via SMS, Bluetooth or the web browser could be used to remotely monitor calls made on the device.