TL;DR – Webview was compromised, there’s an update, all you have to do is update Google Chrome, move on with your life.
A bug has been patched, but many who were wondering what the mysterious warnings last week to just update Chrome were, it evidently had to do with Instant Apps not enforcing policy correctly.
The insufficient enforcement allowed a tapped app to access browser information, get your cookies, tokens, session information, and other things required to spoof your device.
It’s fixed, update and it will be gone, but here’s a neat press release I got on it.
High-risk vulnerability in Android devices discovered by Positive Technologies
Longstanding flaw allows attackers to access sensitive information on all Android devices including browser history, chat messages, and bank applications. The bug was fixed in Google Chrome 72, users need to check if they’ve got a fixed version or not.
Framingham, MA (March 20, 2019) — Positive Technologies researcher, Sergey Toshin has discovered a critical vulnerability in all versions of Android since version 4.4. The bug was found in the WebView component. With it, an attacker could use installed malware or instant apps to gain access to the personal data of Android users.
The severity of the vulnerability (CVE-2019-5765) was ranked by Google as High.
WebView is an Android component that allows web pages to be displayed inside Android apps. The vulnerability was detected in the Chromium engine, which powers WebView on Android versions 4.4 and later. The vulnerability threatens users of Chromium-based mobile browsers, including Google Chrome, Samsung Internet Browser, and Yandex Browser.
Instant apps allow users to try an application without having to install it first. After a user has clicked a browser link, the smartphone downloads a small file which runs like a native app, with access to the hardware, but does not take up storage on the device. If an attack is conducted via an instant app, data can be intercepted after a user taps a link to a malicious app.
Leigh-Anne Galloway, Cyber Security Resilience Lead at Positive Technologies, described the discovery: “The WebView component is used in most Android mobile apps, which makes such attacks extremely dangerous. The most obvious attack scenario involves little-known third-party applications. After an update containing a malicious payload, such applications could read information from WebView. This enables access to browser history, authentication tokens and headers (which are commonly used for login in mobile apps), and other important data.
“Since Android 7.0, WebView has been implemented via Google Chrome and, therefore, updating the browser is enough to fix the bug. On earlier Android versions, WebView must be updated via Google Play. Users who do not have Google Play Services on their smartphones should wait for a WebView update from the device manufacturer.”
About Positive Technologies
Positive Technologies is a leading global provider of enterprise security solutions for vulnerability and compliance management, incident and threat analysis, and application protection. Commitment to clients and research has earned Positive Technologies a reputation as one of the foremost authorities on Industrial Control System, Banking, Telecom, Web Application, and ERP security, supported by recognition from the analyst community.