Menu
Android stock browser vulnerable to URL spoofing

Android stock browser vulnerable to URL spoofing

It's recommended that users install Chrome or another browser

Android browser bug allows attackers to spoof the URLs displayed in the address bar

Android browser bug allows attackers to spoof the URLs displayed in the address bar

A vulnerability in Android's default Web browser lets attackers spoof the URL shown in the address bar, allowing for more credible phishing attacks.

Google released patches for the flaw in April, but many phones are likely still affected, because manufacturers and carriers typically are slow to develop and distribute Android patches.

The vulnerability was discovered by a researcher named Rafay Baloch and was privately reported to Google with the help of security firm Rapid7.

Baloch discovered the flaw on Android 5.0 Lollipop, which uses Chrome as its default browser, but then also confirmed it in the stock browser in older Android versions.

The issue stems from the browser's improper handling of error 204 "No Content" when returned by servers. The researcher created a proof-of-concept exploit that redirects the browser to a non-existent resource on www.google.com, but then loads a spoofed Google Account login page.

The browser patch for Chrome was distributed to Android Lollipop users through Google Play, but the fix for Android 4.4 (KitKat) will require an OS update whose availability will depend on device manufacturers and carriers, said Tod Beardsley, security research manager at Rapid7, via email.

According to Google's official statistics, almost 40 percent of Android devices that access Google Play are running Android 4.4 and only 10 percent run Android 5.x.

Android 4.4 users who haven't received an OS update recently should avoid using the stock browser to access sites that require authentication, Rapid7 said in an advisory. Chrome or other browsers that are updated through Google Play can be good alternatives.

Users who run Android versions older than 4.4 should stop using the Android stock browser, also known as the AOSP browser, anyway because Google will no longer release security patches for it.

Subscribe here for up-to-date channel news

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags patchesGooglesecurityRapid7mobile securityscamsExploits / vulnerabilities

Featured

Slideshows

StorageCraft celebrates high achievers at its inaugural A/NZ Partner Awards

StorageCraft celebrates high achievers at its inaugural A/NZ Partner Awards

Revealed at a glitzy bash in Sydney at the Ivy Penthouse, the first StorageCraft Partner Awards locally saw the vendor honour its top-performing partners with ASI Solutions, SMBiT Pro, Webroot, ACA Pacific and Soft Solutions New Zealand taking home the top awards. Photos by Maria Stefina.

StorageCraft celebrates high achievers at its inaugural A/NZ Partner Awards
Kiwi resellers make a splash on Synnex and Lenovo RotoVegas road trip

Kiwi resellers make a splash on Synnex and Lenovo RotoVegas road trip

​Synnex and Lenovo hosted 18 resellers for an action-packed weekend adventure in RotoVegas, taking in white water rafting on the Kaituna River, as well as quad biking and dinner at Stratosfare​, overlooking Lake Rotorua at the top of Mount Ngongotaha​. Photos by Synnex.

Kiwi resellers make a splash on Synnex and Lenovo RotoVegas road trip
Show Comments