Vulnerability Discovered Within Default Android Web Browser

A Vulnerability That Could Enable a Threat Actor to Run Malicious Code on a Victim’s Device Has Been Disclosed by Google


Several weeks ago, Google discretely disclosed a vulnerability within the ASOP browser, the browser that serves as the default web browsing app for all versions of Android before 4.2. The vulnerability allows malicious sites to inject JavaScript into other sites. Those malicious JavaScripts can then read cookies and password fields, submit forms, grab keyboard inputs and quite a bit more.

Android Browser used to be the default browser on Android OS, but this changed in Android 4.2, when Google switched to Chrome. Some core parts of Android Browser were still used to power embedded Web view controls within applications, but since Android 4.4, this in no longer the case.

However, due to the much discussed issue of Android fragmentation, Android Browser still has more users than Chrome for Android, with something like 40-50 percent of Android users using the flawed browser. (Only 24.5 percent of Android users are using version 4.4.)

How can the vulnerability be exploited?

  1. A threat actor sets up a malicious web server, which includes
  • A crafted page that contains an iframe – an html element that allows an showing external website in the same page (Like a frame within a frame on your TV).
  • The iframe is configured to load a sensitive website (Could be gmail, or maybe an internal company web site).
  • Malicious code that tries to access the iframe content (This is not possible on secure browser, but it’s possible in the vulnerable version of the AOSP browser)
  1. The victim browses to the malicious web site.
  2. The malicious code that is stored in the webpage can now access the iframe content (gmail, for instance) and relay the secure data to the threat actor.

This is just one of the ways the attack can be carried out. There are many methods of directing the user to the malicious webpage.

But this doesn’t only affect email. Think of a site like – many users prefer to navigate to the website instead of using the app, especially when they require quick access. Much of the confidential data being accessed and viewed could be in jeopardy due to this security issue.

What’s the implication for the enterprise?

Users who navigate to internal websites (corporate web-based applications, or SaaS services) via the AOSP browser can be exposed to data theft. Note the users needs to be logged in so sensitive data could be loaded.

Is there a fix for this, other than installing and using Chrome?

You can disable executing javascript in the browser, but this will prevent most of sites from working correctly – so I wouldn’t recommend this as a sensible way to mitigate the problem.

What’s Google’s response?

Only time will tell, but since it’s an older app, they probably aren’t going to fix this. Instead, they will just ask users to use Chrome instead.