Data-Leak Flaw Found In Newest Version Of Google Android

Gingerbread, or Version 2.3, contains similar flaw as previous versions

Googles new Android version 2.3, a.k.a. Gingerbread, was supposed to close a previous data-leak hole in the smartphone operating system, but a researcher has discovered a new, similar hole in the OS.
Xuxian Jiang, a security researcher at NC State University, has tested and confirmed the bug on a Nexus S smartphone running Android 2.3. An attack would work like this: An Android user clicks on a malicious link in an email or in the browser, and an attacker could then read and upload any files on the phones SD memory card, including things like online banking information, pictures, and saved voicemails. An attacker could also root out the phones apps and upload them to a remote server, according to Jiang, who is an assistant professor in the computer science department.
Googles Android 2.3 was built to fix a similar flaw identified last year that gave an attacker access to files stored on the memory card. But NC States discovery shows that Googles fix for the flaw can be bypassed.
Unfortunately, our finding here is that the patch contained in Android 2.3 is not an ultimate fix and can still be bypassed. We have a proof-of-concept exploit with a stock Nexus S phone and are able to successfully exploit the vulnerability to steal potentially personal information from the phone, Jiang wrote in
an alert
.
Jiang says he contacted Googles Android security team on Wednesday, and that they have begun an investigation into the issue. Google is fully aware of this issue and is actively working on the patch, he told
Dark Reading
. I was told that a temporary fix is planned for an OTA update. But an ultimate fix will be likely in the next major release.
[UPDATE]: A Google spokesperson said in a statement: Weve incorporated a fix for an issue in the Android browser on a limited number of devices that could, under certain circumstances, allow for accessing application and other types of data stored on the phone. Were in communication with our partners.
The attack is not a root exploit, however: It runs in the Android sandbox, so e-mail and SMS messages cant be accessed by an attacker, according to Jiang. No active exploits have been spotted in the wild.
For now, Android users can protect themselves by disabling JavaScript support in the browser, or by using a third-party browser for now. Another option is to remove the SD card, he says.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Data-Leak Flaw Found In Newest Version Of Google Android