A US-based researcher has discovered a flaw in the latest iteration of Android, which could see user data stolen.
A Gingerbread user could have their device compromised by clicking on a malicious link, discovered Xuxian Jiang, assistant professor in North Carolina State University's department of computer science.
The original vulnerability was supposed to have been patched in Android 2.3, yet there was still a way to bypass the fix, the researcher claimed.
"We have a proof-of-concept exploit with a stock Nexus S phone and are able to successfully exploit the vulnerability to steal potentially personal information from the phone," Jiang said in his report.
In attempting to hack the device, the researchers found they could read and even upload contents of files, including photos and voicemails, as long as they were installed on the phone's SD card and the precise filename was known.
Jiang has been in touch with the Google Android Security Team and said the OS creator had taken the issue seriously, confirming a fix would be issued by the next major release of Android at the latest.
"From the interaction, I can tell that they took this issue seriously and the investigation was started immediately without any delay," Jiang said.
"Also, I need to mention that this attack is not a root exploit, meaning it still runs within the Android sandbox and cannot grab all files on the system (only those on the SD card and a limited number of others)."
Until a fix has been issued, Jiang offered a number of ways to prevent exploitation of the vulnerability.
"For example, we can temporarily disable Javascript support in the Android browser or switch to a third-party browser for the time being," he added.
"Users are also encouraged to be cautious when viewing unfamiliar websites."
A Google spokesperson told IT PRO the company had "incorporated a fix for an issue in the Android browser on a limited number of devices that could, under certain circumstances, allow for accessing application and other types of data stored on the phone."
"We're in communication with our partners," the spokesperson added.
Gingerbread was only announced in November 2010 and featured in the Nexus S, which was released just before Christmas.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to knowNews Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
-
Researchers claim an AMD security flaw could let hackers access encrypted dataNews Using only a $10 test rig, researchers were able to pull off the badRAM attack
-
A journey to cyber resiliencewhitepaper DORA: Ushering in a new era of cyber security
