Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

WebViewCodeExecution

CVE-2012-6636

WebViewCodeExecution (CVE-2012-6636) is a vulnerability in the WebView component of the Google Android operating system that allows cybercriminals to execute arbitrary JavaScripts on the compromised device. By using such scripts, it is possible to call arbitrary Java functions. With the help of WebViewCodeExecution, cybercriminals can gain unauthorized access to the confidential data stored on the device and to execute numerous actions (for example, send SMS messages). The script executed on the infected device has the same privileges as the application containing the vulnerability. All versions of Google Android operating systems older than 4.2 are subject to this vulnerability.

Due to the fact that the applications utilizing the WebViewCodeExecution vulnerability do not contain a malicious code (for example, it can be downloaded from the Internet in the guise of an ordinary web page), none of the modern mobile anti-viruses can detect such applications. To ensure the safety, users are not recommended to launch any applications received from unreliable sources on their devices running the vulnerable Google Android operating systems. Also, it is advised to carefully manage permissions that programs require in order to work on the device.

Technical details

Numerous Android applications (for example, browsers) utilize the WebView component to display web pages. Using the system API, application developers can employ this component. If the application using the WebView component is allowed to execute JavaScripts, such scripts can call different Java functions.

The vulnerability lies in the fact that the JavaScript executed inside the WebView can call an arbitrary JavaScript by its name directly from the HTML code of a web page. Thus, using the same privileges that the compromised application has, it is possible to execute an arbitrary code inside any vulnerable system.

See also information about other vulnerabilities