Android devices running KitKat or later versions affected by a major security bug

• This critical vulnerability was found in the WebView component of Android.
• It is reportedly fixed in Google Chrome version 72 app for Android devices.

A severe security flaw on Android devices was identified by researchers from Positive Technologies. Sergey Toshin, a mobile application security expert at Positive Technologies unearthed the flaw on the popular platform. It was found to affect the WebView component used in browsers such as Google Chrome, Yandex, and many others.,

How is the vulnerability exploited?

• Attackers can make use of Instant apps in Android to deploy malicious software or app to steal personal data from the device.
• Instant apps generally enable users to try an app without installation. This means, only hardware components are utilized for running without having to access the storage section in the device.
• Attackers can interrupt this path by injecting a malicious app sneakily without detection.
• These apps can now snoop on user information and can possibly perform any additional malicious tasks.
• Google has rated the vulnerability as ‘high’.

Why it matters - The vulnerability was the result of incorrect policy enforcement in browsers which could allow attackers to inject malicious apps.

Leigh-Anne Galloway, Cyber Security Resilience Lead at Positive Technologies, explained further stating that, “The WebView component is used in most Android mobile apps, which makes such attacks extremely dangerous. The most obvious attack scenario involves little-known third-party applications."

"After an update containing a malicious payload, such applications could read information from WebView. This enables access to browser history, authentication tokens and headers (which are commonly used for login in mobile apps), and other important data,” Galloway added.