Google’s Instant Apps feature allows you to try apps before installing them, though a vulnerability allows attackers to abuse the feature to steal data.
A vulnerability in Android’s WebView component allows attackers to steal cookies and collect personal information—including browsing history and authentication tokens—according to Positive Technologies security researcher Sergey Toshin. The vulnerability, designated as CVE-2019-5765, was patched in January, though it is somewhat difficult to determine if you have received the patch.
Nominally, the vulnerability requires some other malware to be installed in order to exploit, though Positive Technologies indicates that it can be exploited through the use of Instant Apps, a feature that allows users to try applications without installing them first. With Instant Apps, an Android-powered device loads a small file, which is executed as a native app. Though Instant Apps are transitory, they are not stored on the device after use.
SEE: Mobile device security: A guide for business leaders (Tech Pro Research)
The way that WebView—which is invoked when web pages are accessed inside another app—is packaged within Android has changed between different versions. For users of Android 7.0 (Nougat) and higher, WebView is packaged as part of Google Chrome. For older Android versions, WebView is delivered through Google Play Services. The vulnerability was introduced in Android 4.4 (KitKat), in 2013.
Google Chrome and Android System Webview 72.0.3626.81 and higher contain a patch for the vulnerability. Typically, Android updates apps automatically when connected to Wi-Fi, and Google Play Services updates itself automatically without prompting the user beforehand. Assuming your Android-powered device is regularly connected to the Internet, it is likely that your update is installed.
For users without Google Play Services, it is possible to manually sideload WebView from APKMirror. WebView and Chrome are implementations of Google’s open-source Chromium browser, which also powers Samsung Internet Browser, and Yandex Browser.
For more on Android security, learn about fraudulent Google Play Store apps that promise to update your Android phone. Additionally, check out the future of Android with “What to expect from Android Q.”