Skip to main content

Top Tips to Make Money with Google AdSense

Hacker Can Remotely Install Malware App To Your Android Device.

Hacking Android Remotely


Security researchers have warned of a pair of vulnerabilities in the Google Play Store that could allow cyber crooks toinstall and launch malicious applications remotely on Android devices.
Tod Beardsley, technical lead for the Metasploit Framework at Rapid7 warns that an X-Frame-Options (XFO) vulnerability – when combined with a recent Android WebView (Jelly Bean) flaw – creates a way for hackers to quietly install any arbitrary app from the Play store onto victims’ device even without the users consent.



USERS AFFECTED
The vulnerability affects users running Android version 4.3 Jelly Bean and earlier versions of Android that no longer receive official security updates from Android security team for Web View, a core component used to render web pages on an Android device. Also, users who have installed third party browsers are affected.
According to the researcher, the web browser in Android 4.3 and prior that are vulnerable to a Universal Cross-Site Scripting (UXSS) attack, and Google Play Store is vulnerable to a Cross-Site Scripting (XSS) flaw.

UNIVERSAL CROSS-SITE SCRIPTING FLAW
In UXSS attacks, client-side vulnerabilities are exploited in a web browser or browser extensions to generate an XSS condition, which allows the malicious code to be executed, bypassing or disabling the security protection mechanisms in the web browser.
Users of these platforms may also have installed vulnerable aftermarket browsers,” Beardsley explains in a blog post on Tuesday. “Until the Google Play store XFO [X-Frame-Options] gap is mitigated, users of these web applications who habitually sign in to their Google Account will remain vulnerable.
At the beginning of this month, a Universal Cross Site Scripting (UXSS) flaw was discovered in all the latest versions of Internet Explorer that allows malicious hackers to inject malicious code into users’ websites and steal cookies, session and login credentials.
The security researcher demonstrated the issue with JavaScript and Ruby code that response from theplay.google.comdomain can be generated without the appropriate XFO header.

METASPLOIT MODULE IS PUBLICLY AVAILABLE
A Metasploit module has been created and made public on Github in order to help enterprise security bods test corporate-issued smartphones for exposure to the vulnerability. According to the advisory, the remote code execution is achieved by leveraging two vulnerabilities on affected Android devices:
  • First, the module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in versions of Android’s open source stock browser (the AOSP Browser) as well as some other browsers, prior to 4.4 (KitKat).
  • Second, the Google Play store’s web interface fails to enforce a X-Frame-Options: DENY header on some error pages, and therefore, can be targeted for script injection. As a result, this leads to remote code execution through Google Play’s remote installation feature, as any application available on the Google Play store can be installed and launched on the user’s device.
HOW TO PREVENT BEING EXPOSED
  • Use a web browsers that are not susceptible to widely known UXSS vulnerabilities – such as Google Chrome or Mozilla Firefox or Dolphin. This could help mitigate the lack of universal X-Frame-Options (XFO) for the play.google.com domain.
  • Another effective way is to simply logged out of the Google Play store account in order to avoid the vulnerability, although this practice is highly unlikely to be adopted by most of the users.

Comments

Popular posts from this blog

PhoneGap Explained Visually

I’ve been “out and about” lately, attending tech conferences, meetup groups, and meeting with developers in their offices, and I am getting great feedback on mobile development and PhoneGap. There are some common questions that I am often asked, and I hope this post helps everyone understand PhoneGap better. PhoneGap Before I go too far, let me attempt to clearly state what PhoneGap is… PhoneGap is an application container technology that allows you to create natively-installed applications for mobile devices using HTML, CSS, and JavaScript.   The core engine for PhoneGap is also 100% open source, under the Apache Cordova project.  You can read more about PhoneGap under my “ What is PhoneGap? ” & Other Common Questions post.

PhoneGap Beliefs, Goals, and Philosophy

This article seeks to clear up misunderstandings about the goals of PhoneGap. Our goals are wrought from our beliefs, and development philosophy. Understanding a free software project, like PhoneGap, requires more than knowledge of the implementation details. It requires understanding the individuals behind the code. Knowing the people and what motivates them inform you more about whether the technology is right for you, your goals, and the people you work with. The world is diverse and very often this comes across in our code, and the tools we use to write it. Background PhoneGap was born at Nitobi Software in the summer of 2008. Nitobi was very much a web

Top Tips to Make Money with Google AdSense

Google AdSense is a advertising program that allows you to run ads on your website or blog, or YouTube videos, and get paid when when visitors click on them. The ads are generated from businesses that use Google's AdWords program. For new websites or blogs, the AdSense program can be one of the fastest ways to generate income, which is why it's so popular. But while AdSense is free and easy to use, there are aspects you need to understand about it, and things you can do to maximize your success with it. Pros and Cons to Making Money with Google AdSense The Google AdSense program has several great advantages including: It's free to join.  Eligibility requirements are easy, which means you can monetize your website or blog even when it's new. There are a variety of ad options and several you can customize to fit the look and feel of your site. Google pays monthly (if you meet the $100 threshold) by direct deposit. You can run ad