January 23, 2014

Hackers can pwn your Android in 10 seconds, if you use Bing App in Starbucks

Hackers can pwn your Android in 10 seconds, if you use Bing App in Starbucks

Imagine in a leisurely afternoon, you are sitting in a coffee shop. You want to search for the latest movie information for tonight’s dating. So you connected to the public wifi called “Starbucks”, and opened the Bing app.

Sounds natural? What you can’t imagine is, at the moment you opened the Bing app (com.microsoft.bing) under an untrusted wifi, your phone or tablet could be hacked completely. The hacker could download and install any malware app to your phone, turn your phone into a tapping device or make unauthorized phone calls, by using a remote code execution vulnerability on the Bing Android app (4.2.0 and lower).

Screenshot 2014-01-23 19.00.22
Screenshot 2014-01-23 19.07.12

Here is a prove of concept video, an attacker could install arbitrary APK from Internet into your phone, you did not do anything wrong and the only thing you do is to install and open Microsoft Bing.

Trustlook has reported the vulnerability to Microsoft Security 10 days ago, and closely working with Microsoft to get this fixed. The Bing team has fixed this vulnerability in version 4.2.1 which released on Jan 21, 2013.

BTW, Microsoft is not the only vendor that affected by this vulnerability. There are hundreds of vulnerable apps we have found on the play store. The total affected user could reach a billion (http://blog.trustlook.com/2014/01/09/2-years-old-android-vulnerability-still-affecting-billion-users/). We are still working with more vendors to fix this problem.

In order to identify whether your bing app has been infected with this high risk vulnerability, you can download our Trustlook Antivirus application to scan your device.  If you want to learn more information, please directly contact us at support@trustlook.com