BadKernel Vulnerability Affects One In Every 16 Android Smartphones
Researchers from Chinese cyber-security firm Qihoo 360 discovered that they could influence the Google’s V8 JavaScript engine bug discovered in 2015 to perform malicious code on Android devices via the vulnerable apps where the V8 engine had been fixed.
It all started in the summer of 2015, when a security bug in Google’s V8 JavaScript engine that affected versions between 3.20 and 4.2, which are widely used in most Android built-in Web browsers. The same engine also underpins Chrome and Opera browsers, as well as apps that call it e.g. Tencent X5 SDK used in WeChat.
However, only in August 2016 did the Chinese researchers discover that the V8 issue also affected a whole range of Android-related products where the older V8 engine versions had been deployed, despite this bug being public for more than a year.
Dubbed as BadKernel, this newly discovered zero-day vulnerability in Google’s Chromium mobile browser allows them to gain control of a user’s Android smartphone. The exploits include access to SMS, contacts, location, camera and microphone, credit card wallets and passwords. It specifically targets Messages, Facebook, Gmail, and Twitter.
Huge number of smartphone makers either use Chromium’s V8 engine for their Web browser or install Chrome as the default. Therefore, going by market share and using Chromium-based browsers alone, the smartphone models of all big vendors, such as Samsung, Motorola, LG, Sony and Huawei are majorly impacted.
“Since many phones are not using the most current browser software, I expect this zero-day attack will be used widely by hackers,” said Allan Zhang, chief executive and co-founder of Trustlook.
“Users should run a quick scan of their phone and update their browser if they are affected.”
Trustlook, who operates a mobile antivirus solution for Android devices, has leveraged telemetry data from its customers to collect some statistics on the number of possibly affected users.
The company says that 41.48% of all Samsung smartphone models may be affected by the BadKernel flaw. Further, 38.89% of Huawei smartphone models may also affected, followed by 26.67% of all Motorola models, and 21.93% of LG devices.
With one in every five devices vulnerable to BadKernel, the most affected country seems to be Peru. Peru is followed by France (14.7%), Nigeria (12.4%), Bangladesh (10.2%), and Thailand (9.4%).
The hackers face no problems in weaponizing and deploying BadKernel exploits, as the BadKernel flaw can be abused just by loading the content of a malicious webpage. They mainly use socially engineered emails and SMS to encourage users to click on a link.
Even though the cure is being rolled out by manufacturers, it is unlikely to be useful except for late-model smartphones considering Android’s fragmentation and the number of older versions in use. Until then, besides taking extreme care of older handsets, it is suggested not click on links in SMS and emails.
Currently, although the V8 engine is at version 5.1, the vulnerable versions are still implanted in many applications, some of which have remained out-of-date, while others have not been updated by their users.
The vulnerability can be identified by Trustlook’s app on Google Play.
Source: Softpedia
