SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
6 Oct 2016

BadKernel vulnerability affects one in 16 Android smartphones

A security bug in Google's V8 JavaScript engine is indirectly affecting around one in 16 Android devices, impacting smartphone models from all major vendors, such as LG, Samsung, Motorola, and Huawei.

The issue at play here has been discovered and fixed in the summer of 2015 and affected the Google V8 JavaScript engine, between versions 3.20 and 4.2.

Despite this bug being public for more than a year, only in August 2016 did Chinese security researchers discover that the V8 issue also affected a whole range of Android-related products where the older V8 engine versions had been deployed. BadKernel flaw is trivial to exploit, just like Stagefright. Researchers from Chinese cybersecurity firm Qihoo 360 discovered that they could leverage the 2015 V8 bug to execute malicious code on Android devices via the vulnerable apps where the V8 engine had been embedded.

This bug, nicknamed BadKernel, allowed them to steal data from the device, take over the user's camera, intercept SMS messages, and anything else they wanted. Since this was an RCE (Remote Code Execution) flaw, the attackers had full control over any affected smartphone. Because the BadKernel flaw can be exploited just by loading the content of a malicious web page, attackers face no difficulty in weaponizing and deploying BadKernel exploits.

BadKernel affects countless of other apps

Google ships the V8 engine with the Chromium mobile browser framework, used for the creation of mobile browsers such as Chrome and Opera. The V8 engine also ships with the WebView Android component, which mobile developers use inside their apps to view Web content inside the application, without opening a dedicated browser.

Currently, many popular apps such as WeChat, Facebook, Twitter, or Gmail, use the WebView component. Vulnerable WebView versions are also the default on Android 4.4.4 up to version 5.1. Additionally, some SDKs, such as the Tencent X5.SDK, also deployed a custom V8 engine, based on the V8 versions vulnerable to BadKernel. This means that apps created with this SDK are also vulnerable to BadKernel attacks. This list is mainly comprised of Chinese mobile apps such as QQ, QQ Space, Jingdong, 58 City, Sohu, and Sina News.

Many outdated apps still use vulnerable WebView components

While the V8 engine is currently at version 5.1, the vulnerable versions are still embedded in many applications, some of which have remained out of date, while others have not been updated by their users. At the time of writing, the BadKernel flaw has received very little attention, despite being known since August 2016.

"BadKernel is still relatively unknown in the US and Europe because it was discovered by the Qihoo 360 research group who published their original findings in Chinese, which was not easily accessible by the rest of the world," Clark Dong of Trustlook Mobile Security told via email.

All major smartphone vendors affected by BadKernel flaw

Dong's company has compiled a list of smartphone models, Android and browsers versions that are currently vulnerable to this flaw. The list includes all the big industry names from Alcatel to HTC, and from Lenovo to Sony, just to name a few. Trustlook, which operates a mobile antivirus solution for Android devices, has leveraged telemetry data from its customers to gather some statistics on the number of potentially affected users.

The company says that 41.48 percent of all Samsung smartphone models may be affected by the BadKernel flaw. Additionally, 38.89 percent of Huawei smartphone models may also affected, followed by 26.67 percent of all Motorola models, and 21.93% percent of all LG devices. The most affected country seems to be Peru, with one in every five devices vulnerable to BadKernel. Peru is followed by France (14.7 percent), Nigeria (12.4 percent), Bangladesh (10.2 percent), and Thailand (9.4 percent).

Three in four LG built-in browsers affected by BadKernel

The same telemetry data has also revealed that the most affected browsers are LG's built-in browser (75.1 percent of all installations are vulnerable), followed by Samsung's built-in browser (41 percent of all installations), and standalone mobile Google Chrome browsers  (11 percent of all installations).

Users who want to check if their device model is affected can consult this list on Trustlook's website, or they can install a dedicated BadKernel security scanner from the Play Store. To avoid exposing themselves to BadKernel attacks, users should always keep their apps up to date, and they should not delay installing Android OS system updates.

Tags:
Android information leaks
Source:
Softpedia
1918
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015