Android Browser ‘privacy disaster’ potentially affects 50% of users

Half of all Android users are at risk from a malicious bug that affects the outdated Android Browser and enables code to be inserted into sites that can record a wealth of information from users.

Related: The best Android security apps

The bug allows malicious sites to inject JavaScript from other sites using a flaw that breaks the Android Browser’s handling of the Same Origin Policy [SOP] that is supposed to stop malicious scripts from one site accessing content on another.

Ars Technica reports that security researcher Rafay Baloch first discovered the problem that allows JavaScript constructed in a certain way to ignore the SOP and run roughshod over any site’s content without having to request permission.

In other words, any site visited by a user when the browser is infected is under threat and all manner of different content from cookies and passwords to submit forms, keyboard input or anything else may have been stolen.

Any users already on Google Chrome don’t need to worry, though the problem is that many Android devices still use the Android Browser as it is the default on all devices before Android 4.2 was released and is still present on devices up until Android 4.4 KitKat.

It all means a bleak outlook for users as just 24.5 per cent of Android users have 4.4 KitKat installed and even then the evidence seen by Ars Technica shows that some have installed the Android Browser as a preference over Chrome.

The situation is made worse by third-party products that still use the browser as the default option and Metaspoilt developers that have designed a module to detect the problem called it a “privacy disaster”.

“We have reviewed this report and Android users running Chrome as their browser, or those who are on Android 4.4+ are not affected. For earlier versions of Android, we have already released patches (1, 2) to AOSP [Android Open Source Platform],” read a statement from Google provided to Ars Technica.

Related: 4 Android security settings you should use

Any users that haven’t already done so are reminded to switch over to Chrome, Firefox or Opera browsers that won’t using the broken code and to stay vigilant when opening up any third party apps using a browser.Porthole Ad