Android Browser Vulnerability Revealed, Patched

Security experts have discovered a vulnerability in the web browser of an earlier version of Google’s Android mobile operating system.

Roee Hay and Yair Amit of IBM Rational Application Security Research Group have discovered a cross-application scripting vulnerability that could result in hack attacks on Android devices.

The vulnerability is capable of allowing a hacker to exploit the web browser’s URL loading process to load an infected JavaScript, which results in a breakdown of the web browser’s sand-box.

The researchers said in a post [PDF] that Android versions 2.2, 2.3.4 and 3.0 were infected with the vulnerability but they also revealed that Google had patched the holes in Android versions 2.3.5 and 3.1.

The patches for Android 2.2 are available but will be launched at a later date, the researchers informed.

“By exploiting this vulnerability a malicious, non-privileged application may inject JavaScript code into the context of any domain. Additionally, an application may install itself as a service, in order to inject JavaScript code from time to time into the currently opened tab, thus completely intercepting the user's browsing experience,” the IBM researchers said in the post.