With more than 2 billion users, Android has a staggering number of devices to protect. But a “high-severity” bug that went undetected for more than five years—that attackers could exploit to spy on a user and gain access to their accounts—serves as a reminder that Android’s impressive open source reach also creates challenges for defending a decentralized ecosystem.
Discovered by Sergey Toshin, a mobile security researcher at the threat detection firm Positive Technologies, the bug originated in Chromium, the open-source project that underlies Chrome and many other browsers. As a result, an attacker could target not only mobile Chrome, but other popular mobile browsers built on Chromium. Even more specifically, Chromium powers an Android has a feature called WebView, which works behind the scenes when you click a link in a game or a social network; it’s what lets those webpages load in a sort of mini-browser without having to leave the app. Using the Chromium vulnerability, hackers can use WebView to grab user data and gain broad device access.
“An attacker could launch an assault on any Chromium-based mobile browser on an Android device, including Google Chrome, Samsung Internet Browser, and Yandex Browser, and retrieve data from its WebView,” Toshin says.
Making matters worse, the bug has been present in every version of Android since 2013’s 4.4 KitKat—the first version of Android that could listen for “Ok Google,” and the first to include emojis in Google Keyboard. Truly, those were the days.
“In most cases it is almost impossible to detect it.”
Sergey Toshin, Positive Technologies
An attacker would get the most reliable, long term access to a victim’s device by tricking them into installing a malicious app that incorporates WebView and exploits the bug. But Toshin points out that attackers could also use the bug to gain inappropriate device access by tricking users into clicking a malicious link that would then open through Android’s Instant App feature. This component allows users to run a version of an app immediately without actually installing it. In that scenario, an attacker wouldn’t have permanent, persistent access, but would have a limited window of time to start hoovering up a user’s data or information about their mobile accounts. Either way, methods are quiet and inconspicuous compromises.
“In most cases it is almost impossible to detect it,” Toshin says.
Positive Technologies disclosed the bug to Google in January, and the company patched it as part of Chrome 72 at the end of that month. Devices running Android 7 or later should be able to get the update through general Chrome updates, but devices running versions of Android 5 and 6 will need to install a special update for WebView through Google Play. That’s helpful for Android owners with autoupdates turned onOld, but otherwise they’d have to install it themselves. Both Toshin and Google also told WIRED that devices built on Android which don’t include Google Play, like Amazon Kindles, will need their device manufacturers to issue a special patch. This is where Android’s fragmented population particularly creates problems with getting fixes to the devices that need them.
Google also noted that it did not release a patch for Android 4.4 itself, because the operating system is more than five years old and is only still running on what the company characterizes as small percentage of devices. But according to Google’s own numbers, 7.6 percent of Android devices still run on KitKat. Based on an install base of 2 billion, that’s about 152 million. It’s also more than the current version of Android, Oreo 8.1, which sits at 7.5 percent adoption.
Google has worked to improve its ability to push patches across devices and minimize hurdles caused by variations in manufacturer implementation. But there’s still a very long way to go. And because of Android’s ubiquity in all different contexts and price points around the world, the reality is that old versions of Android remain in use for a very long time.