Security experts have discovered a new flaw in Android browser that allows attackers to run scripts that can read the contents of any open tab and harvest private data. The security flaw affects Android devices running any version prior to 4.4.
The flaw was first reported by ethical hacker and blogger Rafay Baloch, who has tested it on a variety of devices, since then his findings have further been confirmed by others in the security industry. According to Google's own analytics, this affects at least 75 percent of all Android users as very large proportion of new phones also ship with Android 4.3 or lower.
According to reports the problem relates the Single-Origin Policy, which can be bypassed for the Android browser by deliberately feeding it a malformed instruction which allows scripts to be run without supervision. This simple exploit allows attackers to read data even from secure sites once they are opened, and redirect the data to any external site.
According to Baloch, "A SOP bypass occurs when a siteA.com is some how able to access the properties of siteB.com such as cookies, location, response etc. Due to the nature of the issue and potential impact, browsers have very strict model pertaining it and a SOP bypass is rarely found in modern browsers, however, they are found once in a while."
Google has not yet responded to the disclosure.
CISCO's annual Security report has stated that 99 percent of all mobile malware in 2013 targeted Android devices. According to a report by Trend Micro mobile malware threats will remain a growing concern and will continue to increase in 2014. Read: Google increases Android security with continuous malware scanning
Source: Rafay Baloch