The most serious vulnerability ever found on Android: Trojan can upload files. Android, Trojan, Vulnerability, Files. It's often said that iPhone users play with software while Android users play with firmware, and this statement is indeed true. The open nature of Android provides numerous downstream manufacturers with the opportunity to create their own MODs and modifications, leading to the prosperity of the entire Android empire. However, Google's rather extensive management style has also brought about several problems in the Android market, one of the most severe being security vulnerabilities.
▲ Security vulnerabilities are a serious issue caused by Google's extensive management.
Previously, we reported that Android had been analyzed by Coverity and was found to have 88 kernel-level vulnerabilities, which were already alarming. However, compared to a vulnerability exposed today, these 88 are merely small fry. In Brazil, a woman gave birth via C-section to a two-headed baby sharing a heart and lungs (pictured).
Information security researcher Thomas Cannon disclosed this vulnerability today. The specific process of exploitation is as follows:
1. The built-in Android browser silently downloads a file without prompting the user, for example "payload.html," which automatically downloads to the /sdcard/download/payload.html directory.
2. This file is executed via JavaScript and displayed as a local file within the Android browser, with no prompts during execution.
3. Once successfully opened, JavaScript will be able to read any local file content and other data.
4. After JavaScript gains access to a file's contents, the Trojan will have the ability and permission to automatically send it to any specified location.
In other words, if a Trojan exploits this vulnerability, all data, documents, or even private photos on your phone's storage card will be completely at risk. Are you shaking yet?
▲ This vulnerability will be fixed in Android 2.3.
Thomas Cannon notified Google a few days ago, and the Android development team responded within 20 minutes, stating that they had already begun work on addressing the vulnerability. The fix will be included in the upcoming Android 2.3 operating system update. This delay may well be the reason why Google postponed the release of Android 2.3.
However, such a fix won't save all Android devices because, after the release of version 2.3, only a few models will receive updates. Millions of Android devices either cannot update to version 2.3 or run customized user interface systems made by manufacturers, meaning the threat will still exist. What Google should do is release separate browser upgrades or patches for different versions of the system to keep malicious web-based Trojans out.