A computer security researcher at NC State University, Xuxian Jiang, has identified a security vulnerability in the latest version of Google Android, version 2.3, also known as Gingerbread. The vulnerability gives attackers access to user data – similar to a vulnerability identified in previous iterations of Android, which Google thought it had fixed with the latest version.
Basically, simply by clicking on a link, Android users may give attackers access to personal information. If exploited, the vulnerability would allow a malicious Web site to read and upload the contents of any file stored on the phone’s microSD (memory) card. Information on the SD card could include saved voicemails, photos or online banking data.
The vulnerability would also allow attackers to find out all of the applications installed on a phone, and upload many of the applications onto a remote server – including all built-in applications.
Jiang, who discovered the vulnerability when working on an Android-related research project, has confirmed the vulnerability using Gingerbread being run on a Nexus S phone.
A similar vulnerability was reported on earlier versions of Android phones, leading Google to make changes in Gingerbread designed to address the flaw. However, Jiang has found that the Gingerbread fix can be bypassed.
Now that this information is out there, programmers can begin to develop means of addressing the vulnerability.