Researchers found a flaw in Chromium-based browsers that left devices open to attack. A bug in WebView made it possible for hackers to install malware and/or instant apps that could then hook into the owner's browsing history and site log-in data. The problem impacts all versions of Android since 4.4 KitKat.
The flaw was pointed out by Positive Technologies researcher Sergey Toshin. It is found in WebView, a component of the Android operating system that makes it possible for web pages to render within Android applications. The problem exists specifically in the Chromium engine. Chromium runs WebView for Android 4.4 and up. Any Chromium-based browser, such as Google Chrome and Samsung Internet Browser, carries the vulnerability.
According to Positive Technologies, the vulnerability allows an attack via Google's instant apps. Instant apps are small bits of apps that people can run on their phone to determine if they want to download the full app. People click on instant app links and the phone downloads a tiny file that runs like an app. Instant apps have full access to the device hardware. Attacks that take this approach would be able to intercept user data through the browser.
"The WebView component is used in most Android mobile apps, which makes such attacks extremely dangerous," said Leigh-Anne Galloway, Cyber Security Resilience Lead at Positive Technologies. "The most obvious attack scenario involves little-known third-party applications. After an update containing a malicious payload, such applications could read information from WebView. This enables access to browser history, authentication tokens and headers (which are commonly used for login in mobile apps), and other important data."
What's most alarming about the discovery is to learn how long it has been around. Android 4.4 KitKat debuted in September 2013. Google has taken care of the issue for at least some devices.
In phones running Android 4.4 KitKat through Android 6 Marshmallow, WebView can only be updated via Google Play. In other words, devices running these older platforms need to have the latest version of Google Play Services aboard in order to be safe. This often means waiting on the device maker, and, let's be honest, most device makers moved on from their 2013 to 2015 era hardware some time ago. Android phones that are four to five years old may not be the common in the U.S. anymore, but they certainly are in developing markets.
Beginning with Android 7 Nougat, Google moved WebView directly into the Chrome browser. Updating the browser, therefore, can fix the bug. Google listed the bug in its January security update and patched it via Chrome. Anyone running Chrome 72 or higher on a device running Android 7 and up is safe from the bug. Positive Technologies recommends all users update Chrome as soon as possible.