How to avoid Android E-Z-2 Use exploit?


This exploit has been around for over a year, but I just became aware of it. It uses a WebView vulnerability to inject JavaScript in the Android browser and potentially gain access to SD card files, contacts, the file system, camera and more. Since this can be a drive-by attack using a malicious website, I’m concerned that apps could potentially direct me to one of these websites. Apparently, this was fixed in Android 4.2 and later, but I’m stuck at 4.1 on my phone and don’t expect to see an update. What can I avoid this exploit?

Topic: Security
Answer this Question


2 total
Vote Up (4)

Wstark has a good answer for this. Here's more info on the exploit:

E-Z-2-Use attack code exploits critical bug in majority of Android phones

"Recently-released attack code exploiting a critical Android vulnerability gives attackers a point-and-click interface for hacking a majority of smartphones and tablets that run the Google operating system, its creators said.

The attack was published last week as a module to the open-source Metasploit exploit framework used by security professionals and hackers alike. The code exploits a critical bug in Android's WebView programming interface that was disclosed 14 months ago. The security hole typically gives attackers remote access to a phone's camera and file system and in some cases also exposes other resources, such as geographic location data, SD card contents, and address books. Google patched the vulnerability in November with the release of Android 4.2, but according to the company's figures, the fix is installed on well under half of the handsets it tracks."

Vote Up (4)

It’s actually very easy - use the Chome or Opera browser instead of the Android browser. I’m not certain which of the other browsers don’t use WebView, but those two don’t, so you should be fine even with an older version of Android. You may have to tell some apps to use Chrome (or Opera) instead of the Android browser, but the transition should be painless. Plus both are better than the stock Android browser anyway, so you will be improving your overall experience.

Ask a question

Join Now or Sign In to ask a question.
Financial institutions use many technologies to fight crime, but much of the work comes too late, focusing on suspicious activity, like uncharacteristic charges or money transfers, after it happens.
Dennis Technology Labs says it tested it because of marketing claims for it; Malwarebytes says free version of product is just a clean-up tool.
A new survey of IT security professionals shows that many businesses are barely starting to exploit mobile technology, and some of them may be a mobile security nightmare waiting to happen.
The Russian Ministry of Interior is willing to pay 3.9 million roubles, or around US$111,000, for a method to identify users on the Tor network.
Public certificate authorities (CAs) are warning that as of Nov. 1 they will reject requests for internal SSL server certificates that don't conform to new internal domain naming and IP address conventions designed to safeguard networks.
European data protection authorities still have questions after meeting with Google, Microsoft and Yahoo about the implementation of a recent ruling that gave European citizens the right to be forgotten by search engines.
An iPhone user has filed a lawsuit for invasion of privacy against Apple, about a week after a Chinese state broadcaster raised security concerns about the device's location-tracking functions.
Handling a software flaw can be messy, both for a security researcher who found it and for the company it affects. But a new set of guidelines aims to make that interaction less mysterious and confrontational.
A hacker group calling itself "Anonymous Kenya" has poked holes at the government's cybersecurity preparedness by hacking two official Twitter accounts.
New guidance from Microsoft researchers suggests that users re-use simple passwords and avoid password management services.
Join us: