Android Browser Flaw Allows Data Theft

A new vulnerability has been discovered in the Android web browser that could allow hackers to steal files stored on the smartphone's SD card.

According to security expert Thomas Cannon, the a flaw automatically allows payload data to be downloaded to the device's SD card. A few tweaks to a JavaScript will allow the files on the SD card to open making the data readable, he said.

Once the JavaScript has stored the contents of the targeted file, it will then post it to the malicious website. He warned that the flaw is present on multiple handsets and multiple Android OS versions.

The security expert has posted a video on his website showing the Android browser exploit in action.

“I notified the Android Security Team on 19-Nov-2010 and to their credit they responded within 20 minutes, took it seriously, and started an investigation into the issue. They have since updated me to say they are aiming for a fix to go into a Gingerbread maintenance release after Gingerbread (Android 2.3) becomes available,” he said.

Topics