Alert! Default Browser app on 75% of Androids is vulnerable

Android Security Alert

A newly discovered flaw in the Android Browser app, installed as the default web browser in all Android versions prior to 4.4, can allow attackers to steal personal information entered into websites and hijack authenticated sessions. For comprehensive protection, we recommend disabling the app as soon as possible and migrating to an alternative browser.

How to find out if you’re vulnerable

First, you will need to find out which version of the Android operating system you’re running. This information can be found under Settings > About Phone. If you’re running an Android Version that’s earlier than 4.4, your Android Browser app is vulnerable.

To disable to the Android Browser app:

Go to Settings > Applications > Manage Applications, and then find Browser (its icon is a little globe). Once you click on Browser, you should be given the option to Force Stop or Disable. You will want to select Disable. But note: some early versions do not allow you to Disable the Browser app at all. If this is the case, you will need to make a conscious effort not to use the app or to use it with caution when you do.

Use a different browsing app until Browser is patched:

Browser is an older app but vulnerable versions still come preloaded on low cost Android devices, which may actually account for up to 75% of the total Android ecosystem today. If migrating to the newest version of Android (currently KitKat 4.4) is not an option, we recommend disabling or discontinuing the use of Browser until it is fixed and downloading an alternative web browser, such as Google Chrome, Mozilla Firefox, or Dolphin.

Anyone needing help identifying whether their Android is vulnerable or transitioning to an alternative browser is encouraged to contact Emsisoft Support.

Same Origin Policy Bypass

This vulnerability was discovered by an independent security researcher named Rafay Baloch. Baloch found that vulnerable versions of Browser fail to enforce the same origin policy. Such failure essentially allows one website to grab things from another website, such as login information entered by a user and/or authentication cookies. This means that if you happen to visit a malicious website designed to exploit this vulnerability and then log into your email in a separate window, your credentials will be stolen and the attacker will be able to log in to your email account.

For more information on this type of attack, see the original report here and a follow up from PC World.

For additional protection, also consider Emsisoft Mobile Security, which can automatically prevent you from accessing malicious websites that leverage this vulnerability with Web Protection technology.

Have a great (mobile-malware-free) day!