Researcher Discovered 5-Year-Old Chromium Bug Affecting All Androids Since KitKat

The Android operating system has more than 2 billion users. For good reasons, it achieved that number by powering almost all mobile devices on Earth, besides Apple's devices.

But with that number comes great responsibility, and that is where Android frequently fails.

According to Sergey Toshin, a mobile security researcher at the threat detection firm Positive Technologies, the operating system has a bug that went undetected for more than five years.

The bug in question originated in Chromium.

The Chromium for Android has a feature called 'WebView' which allows users to load webpages in a sort of mini-browser without having to leave apps. The vulnerability allows hackers to use this WebView to see user data, which in turn allows them to gain broader access to victims' devices.

Because Chromium is an open-source project that powers Chrome and many other browsers, the bug can be exploited by bad actors to target not only Chrome on mobile, but also other popular browsers.

"An attacker could launch an assault on any Chromium-based mobile browser on an Android device, including Google Chrome, Samsung Internet Browser, and Yandex Browser, and retrieve data from its WebView," explained Toshin.

Five years undetected means that the bug has been present in every Android versions since 2013's 4.4 KitKat.

In an example, attackers can get a long-term access to victims by tricking them into downloading and installing a malicious app they develop that incorporates WebView.

And not just that, attackers can also use the bug to get quick access by tricking victims into clicking a malicious link that would then open through Android's Instant App feature. This feature allows users to run a version of an app immediately without actually installing it.

In this scenario, attackers won't have permanent, persistent access, and would have a limited window of time to start gathering users' data or personal information.

But as quickly the attacker can get a peak into the victims' devices, the attackers can leave the scene without a trace.

And making matters worse, "In most cases it is almost impossible to detect it," continued Toshin.

Android System WebView

"After an update containing a malicious payload, such applications could read information from WebView. This enables access to browser history, authentication tokens commonly used for login in mobile apps, and other important data,” explained Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies.

Positive Technologies disclosed the bug to Google in January 2019, and the company patched it (CVE-2019-5765) as part of Chrome 72 at the end of that month.

What this means, devices running Android 7 or later can be updated through the general Chrome updates. However, devices running versions of Android 5 and 6 are required to install a special update for WebView through Google Play.

For Android users who have their devices' autoupdates turned on, they should already be protected. But those users who turned this particular feature off, they need to install the updates manually.

Google noted that it didn't and won't release a patch for Android 4.4, because the operating system is more than five years old, and is only running on what it says a small percentage of devices.

But according to Google's own numbers, 7.6 percent of Android devices still run on KitKat in 2019. What this means, with Android having 2 billion users, that percentage accounts to about 152 million.

That is certainly a huge number. A number that is larger than the 2017's Android Oreo, which in 2019 has a 7.5 percent adoption.

Both Toshin and Google noted that devices built on Android but don't include Google Play, like Amazon Kindles, require their device manufacturers to issue a special patch.

As an open-source project with billions of phones running the operating system, security updates and patches rely on either or both the manufacturers and carriers.

This is where Android's fragmented ecosystem creates problem. And this problem is identict to Android, and won't ever be resolved.