Security flaw affects Chromium browsers & WebView component

Oct 5, 2016 01:30 GMT  ·  By

A security bug in Google's V8 JavaScript engine is indirectly affecting around one in 16 Android devices, impacting smartphone models from all major vendors, such as LG, Samsung, Motorola, and Huawei.

The issue at play here has been discovered and fixed in the summer of 2015 and affected the Google V8 JavaScript engine, between versions 3.20 and 4.2.

Despite this bug being public for more than a year, only in August 2016 did Chinese security researchers discover that the V8 issue also affected a whole range of Android-related products where the older V8 engine versions had been deployed.

BadKernel flaw is trivial to exploit, just like Stagefright

Researchers from Chinese cyber-security firm Qihoo 360 discovered that they could leverage the 2015 V8 bug to execute malicious code on Android devices via the vulnerable apps where the V8 engine had been embedded.

This bug, nicknamed BadKernel, allowed them to steal data from the device, take over the user's camera, intercept SMS messages, and anything else they wanted. Since this was an RCE (Remote Code Execution) flaw, the attackers had full control over any affected smartphone.

Because the BadKernel flaw can be exploited just by loading the content of a malicious web page, attackers face no difficulty in weaponizing and deploying BadKernel exploits.

BadKernel affects countless of other apps

Google ships the V8 engine with the Chromium mobile browser framework, used for the creation of mobile browsers such as Chrome and Opera.

The V8 engine also ships with the WebView Android component, which mobile developers use inside their apps to view Web content inside the application, without opening a dedicated browser.

Currently, many popular apps such as WeChat, Facebook, Twitter, or Gmail, use the WebView component. Vulnerable WebView versions are also the default on Android 4.4.4 up to version 5.1.

Additionally, some SDKs, such as the Tencent X5.SDK, also deployed a custom V8 engine, based on the V8 versions vulnerable to BadKernel. This means that apps created with this SDK are also vulnerable to BadKernel attacks. This list is mainly comprised of Chinese mobile apps such as QQ, QQ Space, Jingdong, 58 City, Sohu, and Sina News.

Many outdated apps still use vulnerable WebView components

While the V8 engine is currently at version 5.1, the vulnerable versions are still embedded in many applications, some of which have remained out of date, while others have not been updated by their users.

At the time of writing, the BadKernel flaw has received very little attention, despite being known since August 2016.

"BadKernel is still relatively unknown in the US and Europe because it was discovered by the Qihoo 360 research group who published their original findings in Chinese, which was not easily accessible by the rest of the world," Clark Dong of Trustlook Mobile Security told Softpedia via email.

All major smartphone vendors affected by BadKernel flaw

Dong's company has compiled a list of smartphone models, Android and browsers versions that are currently vulnerable to this flaw. The list includes all the big industry names from Alcatel to HTC, and from Lenovo to Sony, just to name a few.

Trustlook, which operates a mobile antivirus solution for Android devices, has leveraged telemetry data from its customers to gather some statistics on the number of potentially affected users.

The company says that 41.48 percent of all Samsung smartphone models may be affected by the BadKernel flaw. Additionally, 38.89 percent of Huawei smartphone models may also affected, followed by 26.67 percent of all Motorola models, and 21.93% percent of all LG devices.

The most affected country seems to be Peru, with one in every five devices vulnerable to BadKernel. Peru is followed by France (14.7 percent), Nigeria (12.4 percent), Bangladesh (10.2 percent), and Thailand (9.4 percent).

Three in four LG built-in browsers affected by BadKernel

The same telemetry data has also revealed that the most affected browsers are LG's built-in browser (75.1 percent of all installations are vulnerable), followed by Samsung's built-in browser (41 percent of all installations), and standalone mobile Google Chrome browsers  (11 percent of all installations).

Users who want to check if their device model is affected can consult this list on Trustlook's website, or they can install a dedicated BadKernel security scanner from the Play store (how-to video here).

To avoid exposing themselves to BadKernel attacks, users should always keep their apps up to date, and they should not delay installing Android OS system updates.

BadKernel flaw explained
BadKernel flaw explained

Photo Gallery (2 Images)

An Android device vulnerable to the BadKernel flaw
BadKernel flaw explained
Open gallery