Skip to main content

Android Browser ‘privacy disaster’ potentially affects 50% of users

Half of all Android users are at risk from a malicious bug that affects the outdated Android Browser and enables code to be inserted into sites that can record a wealth of information from users.

Related: The best Android security apps

The bug allows malicious sites to inject JavaScript from other sites using a flaw that breaks the Android Browser’s handling of the Same Origin Policy [SOP] that is supposed to stop malicious scripts from one site accessing content on another.

Ars Technica reports that security researcher Rafay Baloch first discovered the problem that allows JavaScript constructed in a certain way to ignore the SOP and run roughshod over any site’s content without having to request permission.

In other words, any site visited by a user when the browser is infected is under threat and all manner of different content from cookies and passwords to submit forms, keyboard input or anything else may have been stolen.

Any users already on Google Chrome don’t need to worry, though the problem is that many Android devices still use the Android Browser as it is the default on all devices before Android 4.2 was released and is still present on devices up until Android 4.4 KitKat.

It all means a bleak outlook for users as just 24.5 per cent of Android users have 4.4 KitKat installed and even then the evidence seen by Ars Technica shows that some have installed the Android Browser as a preference over Chrome.

The situation is made worse by third-party products that still use the browser as the default option and Metaspoilt developers that have designed a module to detect the problem called it a “privacy disaster”.

“We have reviewed this report and Android users running Chrome as their browser, or those who are on Android 4.4+ are not affected. For earlier versions of Android, we have already released patches (1, 2) to AOSP [Android Open Source Platform],” read a statement from Google provided to Ars Technica.

Related: 4 Android security settings you should use

Any users that haven’t already done so are reminded to switch over to Chrome, Firefox or Opera browsers that won’t using the broken code and to stay vigilant when opening up any third party apps using a browser.Porthole Ad

Jamie is a freelance writer with over eight years experience writing for online audiences about technology and other topics. In his time writing for ITProPortal he wrote daily news stories covering the IT industry and the worldwide technology market, as well as features that covered every part of the IT market, from the latest start ups to multinational companies and everything encompassed by the IT sector. He has also written tech content for our sister publication, TechRadar Pro. Jamie has since moved into sports betting content and is Content Manager at Betbull.