Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Beware of employees' cheap Android phones

From: InfoSec News <alerts () infosecnews org>
Date: Fri, 21 Feb 2014 07:22:11 +0000 (UTC)
http://www.csoonline.com/article/748548/beware-of-employees-cheap-android-phones

By Antone Gonsalves
CSO Online
February 20, 2014
An Android vulnerability known since 2012 has recently been found to be more serious than previously thought, particularly in phones that cost less than $150.
When first discovered, the vulnerability in the WebView class used to embed a browser component to display online content in an app was thought to require an ongoing man-in-the-middle attack to be exploited. Security vendor Rapid 7 recently found that not to be the case.
Researcher Joe Vennix found that the vulnerability in Android versions below 4.2, which is early Jelly Bean, could be exploited by clicking on a link in a text message, which would send the recipient to a malicious website. At that point, the attacker could throw up whatever Web page they like, while JavaScript is downloaded in the background to exploit the vulnerability.
"In our exploit, it's just a blank page. There's nothing there," Tod Beardsley, engineering manager at Rapid7, said. "But by the time you hit the blank page, the gears are in motion." 

[...]



--
Subscribe to InfoSec News
http://www.infosecnews.org/subscribe-to-infosec-news/
Previous By Date Next
Previous By Thread Next

Current thread: