High-risk vulnerability in Android devices discovered by Positive Technologies

Longstanding flaw allows attackers to access sensitive information on all Android devices including browser history, chat messages, and bank applications. The bug was fixed in Google Chrome 72, users need to check if they've got a fixed version or not.

Positive Technologies researcher has discovered a critical vulnerability in all versions of Android since version 4.4. The bug was found in the WebView component. With it, an attacker could use installed malware or instant apps to gain access to the personal data of Android users.

The severity of the vulnerability (CVE-2019-5765) was ranked by Google as High. 

WebView is an Android component that allows web pages to be displayed inside Android apps. The vulnerability was detected in the Chromium engine, which powers WebView on Android versions 4.4 and later. The vulnerability threatens users of Chromium-based mobile browsers, including Google Chrome, Samsung Internet Browser, and Yandex Browser.

Instant apps allow users to try an application without having to install it first. After a user has clicked a browser link, the smartphone downloads a small file which runs like a native app, with access to the hardware, but does not take up storage on the device. If an attack is conducted via an instant app, data can be intercepted after a user taps a link to a malicious app.

Leigh-Anne Galloway, Cyber Security Resilience Lead at Positive Technologies, described the discovery: "The WebView component is used in most Android mobile apps, which makes such attacks extremely dangerous. The most obvious attack scenario involves little-known third-party applications. After an update containing a malicious payload, such applications could read information from WebView. This enables access to browser history, authentication tokens and headers (which are commonly used for login in mobile apps), and other important data.

"Since Android 7.0, WebView has been implemented via Google Chrome and, therefore, updating the browser is enough to fix the bug. On earlier Android versions, WebView must be updated via Google Play. Users who do not have Google Play Services on their smartphones should wait for a WebView update from the device manufacturer."