“Privacy Disaster” Android Bug Could Affect 75% of Android Devices

Shaikh Rafia
Posted 2 years ago

Being termed as privacy disaster, the latest Android bug can affect anyone not on the latest Android 4.4 KitKat. The bug infects your Android device when you direct the browser to a specially designed website that injects infected javascript into your device. This bypasses SOP protection used by most of the browsers to protect such an infection from happening. According to Alan Woodward, security expert University of Surrey, the exploit allows access to all of your private date potentially creating more problems for the victim using that data.

Considering the vulnerability is open to anyone not on the Android 4.4, the equation would make every 3 out of 4 Android users vulnerable to possible targets. However, the actual number is a lot lower considering the privacy disaster bug only affects those using the Android Open Source Platform (AOSP) browser.android Privacy Disaster bug

Android Privacy Disaster bug:

The bug was first identified by a security researcher Rafay Baloch who released the bug details sharing that he has been able to exploit a number of devices like the Samsung Galaxy S3, Sony Xperia tipo, Motorola Droid Razr, HTC Evo 3D, and the HTC Wildfire. While Google has yet to comment on this rather critical bug, there are insecurities arising that the same flaw could be used to allow a bypass of the SOP protection used by other, more modern browsers.

An attacker wanting to exploit this flaw would convince a user to visit their specially-crafted website, which would run JavaScript code that prepended a URL handler (which points the browser to executable code) with a null byte as here “u0000javascript:”, Rapid7’s Tod Beardsley explained over email. This would then allow the hacker to inject whatever JavaScript they wanted across other sites.


From this point on, the attacker can cause untold trouble for the victim. “Normally, I can’t just choose to run JavaScript in whatever domain context I want. If I can do that, I can do all sorts of things – scrape web pages, read password fields, hijack a session,” – Forbes

This possibility of the flaw enabling hacker to do all sorts of things is what has gotten the bug the rather extremist name of Privacy Disaster bug. The situation gets even more serious as the exploit code has been uploaded to Metasploit – a platform used by hackers to breach systems.

Qualcomm-Based Android Devices Vulnerable to Attacks - CyanogenMod Also Affected

– Source of Privacy Disaster bug: Forbes

Share on Facebook Share on Twitter Share on Reddit