BTW, Google has released a patch for android 4.2, but this doesn’t completely solve the problem – for those using Android lower than 4.2 (actually, 75% of the Android users), thousands mobile applications that still have this vulnerability makes them vulnerable targets. Those vulnerable apps can be divided into 3 groups.
Class A: The vulnerable Webview loads a remote URL, controllable by user.
This is the most dangerous situation. A controllable URL is a perfect attack surface for this vulnerability. For instance, a social app that allows users to share URLs, which will be later displayed in a Webview when his/her friends clicked the link. That means a malicious user can share a URL that contains exploit code. And all the viewers would be compromised.
Class B: The vulnerable Webview loads a remote URL, uncontrollable
Class C: The vulnerable Webview loads a local resource file.
Unlikely to be exploited directly, as the attacker must gain control of the local file system. Might be exploited when combined with other vulnerabilities.
According to our scanning using Trustlook platform, hundreds of Play Store apps(all latest version), include some well-known apps with more than 10 millions installations, has been found vulnerable as Class A and B – and the number is still growing as our scanning still going on. The total number of affected users has exceeded a billion.
You may want to ask, why a vulnerability is still mostly exploitable even Google has already patched it 2 years ago in 4.2?
First, due to the nature of Android, the versions are highly fragmented in the market space – smartphones and tablets coming from various vendors, using different 3rd party ROMs. So unlike Windows or iOS, there is a big latency to push an update to all end-users. As of Jan 2014, only 24.6% users have updated to Android 4.2 or newer version (official data: http://developer.android.com/about/dashboards/index.html ).
Second, most of the Android developers are still lack of awareness on security vulnerabilities.
In the past months, we have spent a lot of time contact with every company and mobile developers to fix their vulnerability. Considering the large number of them, we only help small portion of them fixed. As time going on we wish we could help more vendors.
Last, as a research result, we have integrated the detection ability into our Antivirus application which help the mobile developer to scan and check their applications. If you are not sure about your application is vulnerable or not, please download and scan your device. If you have more questions, please directly contact us at firstname.lastname@example.org