Security researchers have recently found a vulnerability that could be used to hijack Android apps and devices, but an older issue that can have the same effect remains a significant threat nearly two years after its discovery, according to security firm Bromium.
A large number of applications and advertising frameworks embedded into applications use WebView to display Web content loaded from remote servers—for example, ads. The problem is that many of these apps don’t load the WebView content over an encrypted HTTPS (HTTP Secure) connection.
“The futex vulnerability for instance (CVE-2014-3153) affects every Linux kernel version currently used by Android and was recently used to successfully root the Galaxy S5 for the first time,” the Bromium security researchers said in a blog post Thursday.
“In order to be compatible with the widest number of devices, apps and ad frameworks are often built against the lowest possible API version,” the Bromium researchers said. “The upshot is that an app can be vulnerable even when running on a fully patched Android device running 4.2, 4.3 or 4.4.”
A subset of those were then installed and tested on a Nexus 5 running Android 4.4.3 and a Samsung XE700t tablet running Android Open Source Project firmware version 4.2. The devices were connected to a rogue wireless access point that the researchers controlled.
Around 13 percent of apps being potentially vulnerable, but not necessarily exploitable, doesn’t sound like much. However, not all apps are equal—some are more popular than others.
“From only the small sample we manually confirmed were vulnerable, there are over 150 million downloads,” the Bromium researchers said. “This doesn’t necessarily mean there are guaranteed 150,000,000 vulnerable devices out there, because one device could have multiple different vulnerable apps installed. But given the proportions we’ve found in our analysis—10% of sampled apps potentially vulnerable, 50% of the potentially vulnerable apps we tested actually were exploitable—that is a likely to be a lot of devices.”
It’s also worth pointing out that, according to Google’s latest statistics from Google Play, over half of Android devices are running Android versions older than 4.2.
The Bromium researchers went even further and cross-referenced the list of potentially vulnerable apps with data from the Device Analyzer project at the University of Cambridge that collects information about app usage from 19,606 real-world devices.
“For the last year or so, the Device Analyser data shows that their users on average opened 0.4-0.5 potentially vulnerable apps per day,” the Bromium researchers said. “Or in simpler terms, their average user is vulnerable a couple of times a week.”
The Bromium analysis highlights that some Android vulnerabilities can linger on for a long time, despite patches being available. That’s primarily because of the fragmentation that exists in the Android ecosystem and the many parties that have to take action when security issues arise, such as Android developers, device manufacturers, carriers, app developers and advertising networks.
“One compromised device can become the man-in-the-middle on whatever networks it subsequently joins, thus spreading the attack to, for example, the corporate wifi network so popular in the bring-your-own-device world,” the Bromium researchers said.