A third-party advertising library called InMobi, used by many Android applications, opens a potential backdoor into mobile devices.
Attackers who are in a position to intercept traffic coming from an app that uses InMobi can inject JavaScript commands into that traffic and force the app to make phone calls, send text messages to premium-rate numbers, create calendar events, access the photo gallery and post on social networks on the user's behalf, according to researchers from security firm FireEye.
The problem stems from InMobi's use of an Android API (application programming interface) feature called addJavascriptInterface that can be used to expose a Java object's methods to content loaded in a WebView, a window that displays Web pages.
No comments:
Post a Comment