Stealing Sensitive Data From Android Devices

Android is now widely used all over the world, this is due to possibility for installing free applications and not expensive device prices, but on the other hand there are a lot of vulnerabilities that are discovered on a daily bases. Some of these vulnerabilities are fixed but others are still working.

There are an interesting exploit in the wide that allow attacker to have sensitive data from android device caused by Android browser allows to run JavaScript without notifying user , And here with a php java script an attacker can enforce victim to open any file and upload it to the malicous website. you can watch the following PoC video for the vulnerability:


Android Data Stealing Vulnerability from Thomas Cannon on Vimeo.

The script is divided to three stages the first with the malicious url the second redirect user to download the malicious script and the last stage to execute the malicious javascript and write required file to the server.

To protect your devices from such attack you need to disable JavaScript in the browser (uncheck “Settings > Enable JavaScript”).

While you can find the exploit on the following link :