Google has fixed a high-risk security vulnerability in the Android WebView web browser component in the Android routine security update released earlier this year. However, no one knew at the time what the details of the vulnerability were and what were the dangers until the researchers who discovered the vulnerability disclosed the vulnerability. This vulnerability was immediately submitted to Google for confirmation at the beginning of the year. Based on the severity of the vulnerability, Google immediately made an update in the month to block the vulnerability.
CVE-2019-5765 – Insufficient policy enforcement in the browser
The WebView component is a widely used base component in Android that allows developers to call components and access certain online pages within an application. Android browsers using the Chromium engine such as Google Chrome, Samsung Internet Browser, and the Russian YANDEX browser are all affected. At the same time, the problematic engine is widely installed in Android 4.4 and above, so as long as it is 4.4 and above will also be affected by the vulnerability.
Leigh-Anne Galloway, Cyber Security Resilience Lead at Positive Technologies, described the discovery: “The WebView component is used in most Android mobile apps, which makes such attacks extremely dangerous. The most obvious attack scenario involves little-known third-party applications. After an update containing a malicious payload, such applications could read information from WebView. This enables access to browser history, authentication tokens and headers (which are commonly used for login in mobile apps), and other important data.”
An attacker can use this vulnerability to create a special small file to guide the user to click. This small file will be downloaded and run like an installed application. Malicious files that exploit based on this vulnerability can directly access information in the WebView, such as saved browsing history, cookies, and other important data. Even the login account and password of each application can be directly stolen, so this vulnerability is relatively harmful for application developers and users.
Google has fixed this vulnerability in a routine update at the beginning of the year, provided that the user is able to receive the update or it will not be able to completely repair the vulnerability. For users who have already used Android 7.0 and above, they can update Google Chrome directly. An unaffected WebView version has been implemented by Google Chrome.