A security bug in Google’s V8 JavaScript engine is indirectly affecting around one in 16 Android devices, impacting smartphone models from all major vendors, such as LG, Samsung, Motorola, and Huawei.
The issue at play here has been discovered and fixed in the summer of 2015 and affected the Google V8 JavaScript engine, between versions 3.20 and 4.2.
Despite this bug being public for more than a year, only in August 2016 have Chinese security researchers discovered that the V8 issue also affected a whole range of Android-related products where the older V8 engine versions had been deployed.
Researchers from Chinese cyber-security firm Qihoo 360 discovered that they could leverage the 2015 V8 bug to execute malicious code on Android devices via the vulnerable apps where the V8 engine had been embedded.
This bug, nicknamed BadKernel, allowed them to steal data from the device, take over the user’s camera, intercept SMS messages, and anything else they wanted. Since this was an RCE (Remote Code Execution) flaw, the attackers had full control over any affected smartphone.
Because the BadKernel flaw can be exploited just by loading the content of a malicious web page, attackers face no difficulty in weaponizing and deploying BadKernel exploits.
Google ships the V8 engine with the Chromium mobile browser framework, used for the creation of mobile browsers such as Chrome and Opera.
The V8 engine also ships with the WebView Android component, which mobile developers use inside their apps to view Web content inside the application, without opening a dedicated browser.
Currently, many popular apps such as WeChat, Facebook, Twitter, or Gmail, use the WebView component. Vulnerable WebView versions are also the default on Android 4.4.4 up to version 5.1.
Additionally, some SDKs, such as the Tencent X5.SDK, also deployed a custom V8 engine, based on the V8 versions vulnerable to BadKernel. This means that apps created with this SDK are also vulnerable to BadKernel attacks. This list is mainly comprised of Chinese mobile apps such as QQ, QQ Space, Jingdong, 58 City, Sohu, and Sina News.
While the V8 engine is currently at version 5.1, the vulnerable versions are still embedded in many applications, some of which have remained out-of-date, while others have not been updated by their users.
At the time of writing, the BadKernel flaw has received very little attention, despite being known since August 2016.
“BadKernel is still relatively unknown in the US and Europe because it was discovered by the Qihoo 360 research group who published their original findings in Chinese, which was not easily accessible by the rest of the world,” Clark Dong of Trustlook Mobile Security told Softpedia via email.
