Android Password Vulnerabilities put Mobile Banking at Risk

Positive Research, a division of Positive Technologies, has found two critical vulnerabilities in the Google Chrome™ browser, for Android, which could allow hackers to steal personal user data. Since the introduction of Android 4.1 (codename Jelly Bean), Chrome™ has become the browser of choice for millions of smartphones and tablet devices.

In exploiting the first of the vulnerabilities, the Positive Research team demonstrated how an attacker could gain access to clickstream, cookies and web cache data, stored in the browser. The second vulnerability would let a hacker execute arbitrary JavaScript code in an arbitrary site security context to mount a Universal Cross-Site Scripting Attack. These types of attacks could compromise mobile banking systems by allowing cybercriminals access to user accounts.

As part of its on-going co-operation with Google, Positive Research promptly reported its findings to Google who quickly developed a new version of Chrome – eliminating the security defects. Over the past few years, Google has inducted several members from the Positive Research Team into their Security Hall of Fame for the work they’ve done helping Google secure their products.

“Our teams are very experienced at detecting and fixing mobile application vulnerabilities,” says Dmitry Evteev, Head of Security Assessment Department at Positive Technologies. “This summer, we launched a special initiative aimed at mobile applications for Apple iOS, Google Android and Windows Phone platforms. Banks will begin to require a higher-level of security for mobile devices as they grow in popularity as a method for carrying out financial transactions.”