Unfortunately, our finding here is that the patch contained in Android 2.3 is not an ultimate fix and can still be bypassed. We have a proof-of-concept exploit with a stock Nexus S phone and are able to successfully exploit the vulnerability to steal potentially personal information from the phone. The attack works by requiring the user to visit a malicious link. Based on the experiments with one of our Nexus S phones, we have leveraged the vulnerability to
I notified the Google Android Security Team on 01/26/2011 and was pleased/impressed to receive their response within 10 minutes. After that, we exchanged emails, including a critical piece of exploit code, to better understand the nature of the vulnerability. From the interaction, I can tell that they took this issue seriously and the investigation was started immediately without any delay. Also, I need to mention that this attack is not a root exploit, meaning it still runs within the Android sandbox and cannot grab all files on the system (only those on the /sdcard and a limited number of others).
The vulnerability is now confirmed and I was told that an ultimate fix will be included no later than the next major release of Android. We are not aware of any active exploitation of this issue.
For responsible disclosure, I will not publish the details of the vulnerability until an ultimate fix is out. However, I would like to share the common intention by informing users about the potential risk (and absolutely NOT about how to exploit), which is the reason why I created this webpage.
Finally, I'd like to thank Nick from the Android Security Team for
verifying the presence of this vulnerability and keeping me informed
as this fix progresses.
Last modified: January 28th, 2011