Gilt Android App Remote Code Execution Vulnerability

Here we want to disclose another app that affected by the addJavascriptInterface vulnerability. Gilt Android Application version 3.01 and below is vulnerable to this attack. (About more details, please see our previous post: Hackers can pwn your Android in 10 seconds and A billion of Android users are exposed to a high risk vulnerability)

 

 

Above is the prove of concept video, an attacker could install arbitrary APK from Internet into your phone. Again, you did not do anything wrong and the only thing you do is to open Gilt under an insecure router or wifi network.

We already built in the scanning module in our Trustlook Antivirus, which can now detect the apps that are potentially impacted by this vulnerability:

device-2014-01-20-194641 (2)

Hackers can pwn your Android in 10 seconds, if you use Bing App in Starbucks

Imagine in a leisurely afternoon, you are sitting in a coffee shop. You want to search for the latest movie information for tonight’s dating. So you connected to the public wifi called “Starbucks”, and opened the Bing app.

Sounds natural? What you can’t imagine is, at the moment you opened the Bing app (com.microsoft.bing) under an untrusted wifi, your phone or tablet could be hacked completely. The hacker could download and install any malware app to your phone, turn your phone into a tapping device or make unauthorized phone calls, by using a remote code execution vulnerability on the Bing Android app (4.2.0 and lower).

Screenshot 2014-01-23 19.00.22

Screenshot 2014-01-23 19.07.12

Here is a prove of concept video, an attacker could install arbitrary APK from Internet into your phone, you did not do anything wrong and the only thing you do is to install and open Microsoft Bing.

 

Trustlook has reported the vulnerability to Microsoft Security 10 days ago, and closely working with Microsoft to get this fixed. The Bing team has fixed this vulnerability in version 4.2.1 which released on Jan 21, 2013.

BTW, Microsoft is not the only vendor that affected by this vulnerability. There are hundreds of vulnerable apps we have found on the play store. The total affected user could reach a billion (https://blog.trustlook.com/2014/01/09/2-years-old-android-vulnerability-still-affecting-billion-users/). We are still working with more vendors to fix this problem.
 

Screen Shot 2014-01-23 at 6.46.00 PM

In order to identify whether your bing app has been infected with this high risk vulnerability, you can download our Trustlook Antivirus application to scan your device.  If you want to learn more information, please directly contact us at support@trustlook.com

A billion of Android users are exposed to a high risk vulnerability

Since our research team published an Android remote code execution vulnerability in last September: Alert: Android WebView addJavascriptInterface Code execution Vulnerability. We assume that this should be patched by most of mobile developers, but our recently review shows that the risk is much higher than what we we can imagine. Billions of users are affected by this high risk vulnerability.

As we reported before, this vulnerability that allows attackers to execute arbitrary Java code by using Javascript embedded in web page. Due to the permissions the vulnerable app has applied, attackers can send SMS in background, make your phone into interception device, and also it can make phone calls or even install packages(on rooted phones).

BTW, Google has released a patch for android 4.2, but this doesn’t completely solve the problem – for those using Android lower than 4.2 (actually, 75% of the Android users), thousands mobile applications that still have this vulnerability makes them vulnerable targets. Those vulnerable apps can be divided into 3 groups.

Class A: The vulnerable Webview loads a remote URL, controllable by user.

This is the most dangerous situation. A controllable URL is a perfect attack surface for this vulnerability. For instance, a social app that allows users to share URLs, which will be later displayed in a Webview when his/her friends clicked the link. That means a malicious user can share a URL that contains exploit code. And all the viewers would be compromised.

Class B: The vulnerable Webview loads a remote URL, uncontrollable

Not as easily exploited as Class A, but still exploitable when attackers gain control of the network. For example, when attackers gain control of a wifi-spot or DNS server, they can insert a piece of JavaScript in all HTTP traffics. And every app user under that wifi/DNS would be compromised.

Class C: The vulnerable Webview loads a local resource file.

Unlikely to be exploited directly, as the attacker must gain control of the local file system. Might be exploited when combined with other vulnerabilities.

According to our scanning using Trustlook platform, hundreds of Play Store apps(all latest version), include some well-known apps with more than 10 millions installations, has been found vulnerable as Class A and B – and the number is still growing as our scanning still going on. The total number of affected users has exceeded a billion.

You may want to ask, why a vulnerability is still mostly exploitable even Google has already patched it 2 years ago in 4.2?

First, due to the nature of Android, the versions are highly fragmented in the market space – smartphones and tablets coming from various vendors, using different 3rd party ROMs. So unlike Windows or iOS, there is a big latency to push an update to all end-users. As of Jan 2014, only 24.6% users have updated to Android 4.2 or newer version (official data: http://developer.android.com/about/dashboards/index.html ).

Second, most of the Android developers are still lack of awareness on security vulnerabilities.

Screen Shot 2014-01-20 at 3.36.18 PM

In the past months, we have spent a lot of time contact with every company and mobile developers to fix their vulnerability. Considering the large number of them, we only help small portion of them fixed. As time going on we wish we could help more vendors.

 

Screenshot 2014-01-22 11.08.59

Last, as a research result, we have integrated the detection ability into our Antivirus application which help the mobile developer to scan and check their applications.  If you are not sure about your application is vulnerable or not, please download and scan your device.  If you have more questions, please directly contact us at support@trustlook.com