Skip to main content

Top Tips to Make Money with Google AdSense

Hacker Can Remotely Install Malware App To Your Android Device.

Hacking Android Remotely


Security researchers have warned of a pair of vulnerabilities in the Google Play Store that could allow cyber crooks toinstall and launch malicious applications remotely on Android devices.
Tod Beardsley, technical lead for the Metasploit Framework at Rapid7 warns that an X-Frame-Options (XFO) vulnerability – when combined with a recent Android WebView (Jelly Bean) flaw – creates a way for hackers to quietly install any arbitrary app from the Play store onto victims’ device even without the users consent.



USERS AFFECTED
The vulnerability affects users running Android version 4.3 Jelly Bean and earlier versions of Android that no longer receive official security updates from Android security team for Web View, a core component used to render web pages on an Android device. Also, users who have installed third party browsers are affected.
According to the researcher, the web browser in Android 4.3 and prior that are vulnerable to a Universal Cross-Site Scripting (UXSS) attack, and Google Play Store is vulnerable to a Cross-Site Scripting (XSS) flaw.

UNIVERSAL CROSS-SITE SCRIPTING FLAW
In UXSS attacks, client-side vulnerabilities are exploited in a web browser or browser extensions to generate an XSS condition, which allows the malicious code to be executed, bypassing or disabling the security protection mechanisms in the web browser.
Users of these platforms may also have installed vulnerable aftermarket browsers,” Beardsley explains in a blog post on Tuesday. “Until the Google Play store XFO [X-Frame-Options] gap is mitigated, users of these web applications who habitually sign in to their Google Account will remain vulnerable.
At the beginning of this month, a Universal Cross Site Scripting (UXSS) flaw was discovered in all the latest versions of Internet Explorer that allows malicious hackers to inject malicious code into users’ websites and steal cookies, session and login credentials.
The security researcher demonstrated the issue with JavaScript and Ruby code that response from theplay.google.comdomain can be generated without the appropriate XFO header.

METASPLOIT MODULE IS PUBLICLY AVAILABLE
A Metasploit module has been created and made public on Github in order to help enterprise security bods test corporate-issued smartphones for exposure to the vulnerability. According to the advisory, the remote code execution is achieved by leveraging two vulnerabilities on affected Android devices:
  • First, the module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in versions of Android’s open source stock browser (the AOSP Browser) as well as some other browsers, prior to 4.4 (KitKat).
  • Second, the Google Play store’s web interface fails to enforce a X-Frame-Options: DENY header on some error pages, and therefore, can be targeted for script injection. As a result, this leads to remote code execution through Google Play’s remote installation feature, as any application available on the Google Play store can be installed and launched on the user’s device.
HOW TO PREVENT BEING EXPOSED
  • Use a web browsers that are not susceptible to widely known UXSS vulnerabilities – such as Google Chrome or Mozilla Firefox or Dolphin. This could help mitigate the lack of universal X-Frame-Options (XFO) for the play.google.com domain.
  • Another effective way is to simply logged out of the Google Play store account in order to avoid the vulnerability, although this practice is highly unlikely to be adopted by most of the users.

Comments

Popular posts from this blog

PhoneGap Explained Visually

I’ve been “out and about” lately, attending tech conferences, meetup groups, and meeting with developers in their offices, and I am getting great feedback on mobile development and PhoneGap. There are some common questions that I am often asked, and I hope this post helps everyone understand PhoneGap better. PhoneGap Before I go too far, let me attempt to clearly state what PhoneGap is… PhoneGap is an application container technology that allows you to create natively-installed applications for mobile devices using HTML, CSS, and JavaScript.   The core engine for PhoneGap is also 100% open source, under the Apache Cordova project.  You can read more about PhoneGap under my “ What is PhoneGap? ” & Other Common Questions post.

PhoneGap Beliefs, Goals, and Philosophy

This article seeks to clear up misunderstandings about the goals of PhoneGap. Our goals are wrought from our beliefs, and development philosophy. Understanding a free software project, like PhoneGap, requires more than knowledge of the implementation details. It requires understanding the individuals behind the code. Knowing the people and what motivates them inform you more about whether the technology is right for you, your goals, and the people you work with. The world is diverse and very often this comes across in our code, and the tools we use to write it. Background PhoneGap was born at Nitobi Software in the summer of 2008. Nitobi was very much a web

How To Root Android Smartphones, Tablets And Much More: Everything You Need To Know!

Welcome to How To Root section. In this section you will learn how to root your Android smartphone, tablets and much more! First however, we will cover briefly what rooting is and why you should root your Android device. Note #1: If your Android smartphone or tablet is already rooted and you’re looking for how to spice it up and make it stand out from the crowd, visit Crack O World's Android ROM section. Note #2: We will be updating this page with the latest how to root guides, tutorials and how to’s once available, so make sure you come back soon! The Basics Of  Rooting Are you unsure about Rooting? Scared it might cause irreversible damage to your device? Well, all your questions will be answered in this detailed analysis.