Android AOSP Browser Bug Could Affect 75 Percent Of Users
A new Android vulnerability, which could allow attackers to view open Web pages on the victim’s Android Web browser or hijack their online accounts, has recently been uncovered, and may impact an estimated 75 percent of android users.
Uncovered in early September, by security researcher, Ray Baloch, the Google Android Browser Same Origin Policy Security Bypass Vulnerability (CVE-2014-6041) reportedly affects any Android version below 4.4. The bug, found in the Android Open Source Project browser (or AOSP browser—a browser that Google no longer supports), could be exploited by an attacker, who finds a way of convincing an Android user to visit a malicious website. After exploiting the bug, an attacker could access Web pages that are open in other windows on the browser, or they could steal a copy of the user’s session cookie and hijack the session, which could allow the attacker to gain access to a user’s other information, such as an email account.
While Google has since released patches, found here and here, Google does not ship the AOSP browser on Android 4.4 KitKat devices, since replacing the app with Chrome. However, only 25 percent of Android device owners use Android 4.4 KitKat, which means that the vast majority of users could be vulnerable.
What to do if you’re in the “75%”:
- Avoid using your AOSP browser for any reason.
- Upgrade your browser to Google Chrome. Chrome users are not affected by this bug. If you cannot download Chrome, you will need to wait until device manufacturers and mobile carriers implement the patches into their own versions of the OS.
- Don’t click on suspicious links on your phone. If something looks fishy, or “too good to be true,” type in the URL manually, as many harmful links can appear “innocent” before you click.
- Keep an eye out for mobile product updates from Norton. The latest version of Norton Halt is available now to help you to detect these kinds of vulnerabilities on your device.
So far, there have been no reports or evidence that anyone has exploited this vulnerability, but, just to be on the safe side, be sure to follow the tips above to help keep your information private and secure.