430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Hacking

Released a Metasploit module to hack 70% Android devices

Rapid 7 has released the “exploit/android/browser/webview_addjavascriptinterface” module which allows attackers to remotely access on most Android devices. A bug in the Android WebView programming interface allows attackers to remotely access on most devices running the popular OS. But it does not end here, hackers could easily access handset camera and file system simply creating a specifically crafted web […]

Released a Metasploit module to hack 70% Android devices

Rapid 7 has released the “exploit/android/browser/webview_addjavascriptinterface” module which allows attackers to remotely access on most Android devices.

A bug in the Android WebView programming interface allows attackers to remotely access on most devices running the popular OS. But it does not end here, hackers could easily access handset camera and file system simply creating a specifically crafted web page, and via a Man-in-the-Middle attack attackers could deliver trojanized app update to infect the victim’s mobile. The situation is critical, nearly 70 percent of Android based handsets are vulnerable because they run Android versions prior to 4.2. The economy of an attack is to the advantage of those who offend, it is always easier for the attacker to find the tools and knowledge to compromise mobile devices. Let’s consider the above vulnerability in Android WebView programming interface, Rapid 7 recently released a new module for the Metasploit framework to “get shell” on most Android-running devices.

“This module exploits a privilege escalation issue in Android < 4.2’s WebView component that arises when untrusted Javascript code is executed by a WebView that has one or more Interfaces added to it. The untrusted Javascript code can call into the Java Reflection APIs exposed by the Interface and execute arbitrary commands. Some distributions of the Android Browser app have an addJavascriptInterface call tacked on, and thus are vulnerable to RCE. The Browser app in the Google APIs 4.1.2 release of Android is known to be vulnerable. A secondary attack vector involves the WebViews embedded inside a large number of Android applications. Ad integrations are perhaps the worst offender here. If you can MITM the WebView’s HTTP connection, or if you can get a persistent XSS into the page displayed in the WebView, then you can inject the html/js served by this module and get a shell. Note: Adding a .js to the URL will return plain javascript (no HTML markup).” reports Rapid7 in the page dedicated to the “exploit/android/browser/webview_addjavascriptinterface” module.

android metasploit module hack

To secure mobile devices, carriers and manufacturers have to adopt an effective strategy to mitigate a growing number of cyber threats. As usual the interval of time between bug discovery and the release of the fix is too long, the Android WebView programming interface was identified in December 2012, but Google fixed it in November 2013 releasing the Android version 4.2. 

[The flaw] “kind of a huge deal” “In a completely unsurprising twist, I did a quick survey of the phones available today on the no-contract rack at a couple big-box stores, and every one that I saw were vulnerable out of the box,” “And yes, that’s here in the U.S., not some far-away place like Moscow, Russia.” “I’m hopeful that by publishing an E-Z-2-Use Metasploit module that exploits it, we can maybe push some vendors toward ensuring that single-click vulnerabilities like this don’t last for 93+ weeks in the wild,” said Tod Beardsley, technical lead for the Metasploit Framework

In this case the end user is helpless, he can’t fix the problem and he just has to wait for the next security update. There is the concrete risk that bad actors will start to use the Metasploit module on a large scale, this scenario could have serious repercussion  on the security point of view.

Pierluigi Paganini

(Security Affairs –  Android, Matasploit)