[ISN] Beware of employees’ cheap Android phones

http://www.csoonline.com/article/748548/beware-of-employees-cheap-android-phones By Antone Gonsalves CSO Online February 20, 2014 An Android vulnerability known since 2012 has recently been found to be more serious than previously thought, particularly in phones that cost less than $150. When first discovered, the vulnerability in the WebView class used to embed a browser component to display online content in an app was thought to require an ongoing man-in-the-middle attack to be exploited. Security vendor Rapid 7 recently found that not to be the case. Researcher Joe Vennix found that the vulnerability in Android versions below 4.2, which is early Jelly Bean, could be exploited by clicking on a link in a text message, which would send the recipient to a malicious website. At that point, the attacker could throw up whatever Web page they like, while JavaScript is downloaded in the background to exploit the vulnerability. “In our exploit, it’s just a blank page. There’s nothing there,” Tod Beardsley, engineering manager at Rapid7, said. “But by the time you hit the blank page, the gears are in motion.” […]