Reading Time: 4 minutes

A legacy Android Same Origin Policy (SOP) bug discovered by a Pakistani researcher Rafay Balochis being used far more widely as per new research published by TrendMicro Labs. Trend micro researcher, Simon Huang says that they have discovered many cases of Facebook users being targeted by attacks that exploit this flaw in the web browser of the Android OS lower than 4.4 because the Metasploit code is publicly available and many Android manufacturers are yet to patch this bug.

The Bug

The bug, discovered by Rafay Baloch, allows a universal Cross-scripting vulnerability in older versions of Android smartphones.  This  vulnerability, which affects the WebView component, occurs when replacing the ‘data’ attribute of a given HTML object with a JavaScript URL scheme.  An attacker can leverage the UXSS flaw to scrape cookie data and page contents from a vulnerable browser window.  The security hole can be exploited on all versions of the Android Open Source Platform (AOSP) browser, including those using WebView.

Rapid7 has published the Metasploit code(link given above) for this flaw and the same is being publicly used by attackers to serve the victims a malicious JavaScript file stored in a cloud storage account. This is done by pointing the target to a certain Facebook page that leads to a malicious location. Trend researcher, Huang says that the page contains obfuscated JavaScript code which attempts to load a Facebook URL in an inner frame.

Android's Same Origin Policy (SOP) Exploit allows hackers to hijack your Facebook Accounts

The victim however sees only a blank page being loaded as per the div tags set by the attacker in HTML, while the inner frame will be shown in one pixel.

Android's Same Origin Policy (SOP) Exploit allows hackers to hijack your Facebook Accounts

Android's Same Origin Policy (SOP) Exploit allows hackers to hijack your Facebook Accounts

Huang says that with the malware in place, the attacker can do almost anything with the victim’s Facebook account.   The JavaScript code can carry out following activities with the victims Facebook account :

  • Add friends
  • Like and follow Facebook pages
  • Modify subscriptions
  • Authorize a Facebook app to access the user’s public profile, friends list, birthday information, likes and friends’ likes
  • Steal the victim’s access tokens and upload them to their server at http://{BLOCKED} $token;
  • Collect analytics data (such as victims’ location, HTTP referrer, etc.) using the legitimate service at https://whos.{BLOCKED}
  • In addition to the code at the above site, Trend found a similar attack at http://www.{BLOCKED} Trend researchers believe that both of them are created by the same author because they share several function names, as well as the client_id of the Facebook app.

Trend Micro researchers found that the client_id involved in this malware was “2254487659”.  This is an official BlackBerry App maintained by BlackBerry.

Trend Micro then contacted BlackBerry about their findings. They informed BlackBerry that the attackers wanted to use the trust of BlackBerry name and the malware was trying to steal user’s access-tokens, which could be used to make requests to Facebook APIs and read user’s information or to publish content to Facebook on behalf of the victim. Blackberry released this statement after Trend contacted them :

“The mobile malware using the Android SOP Exploit (Android Same Origin Policy Bypass Exploit) is designed to target Facebook users regardless of their mobile device platform. However, it attempts to take advantage of the trusted BlackBerry brand name by using our Facebook web app. BlackBerry is continuously working with Trend Micro and Facebook to detect and mitigate this attack. Note that the issue is not a result of an exploit to Blackberry’s hardware, software, or network.”

At the moment, Trend Micro, Facebook and BlackBerry are working together to detect the attack and prevent it from being carried out against new users.

The Android SOP bug has been around since September 2014, and all Android devices upto Android 4.4 KitKat are vulnerable to this flaw. There are millions of Android smartphones running on older versions of Android OS which can be used to exploit this bug and carry out illicit activities by cyber criminals.  Most cheap smartphones run on older versions of Android making the job of cyber criminals that much easier. If you are a Android smartphone owner, upgrade your smartphone to the latest Android 5.1 lollipop as soon as possible. If you are still using a smartphone running on the antiquated version of Android, now is the time to junk it.