Trend Micro’s Mobile Threats Research team has discovered a vulnerability in the Apache Cordova app framework (used to develop Android apps) that allows potential attackers to modify the appearance and behavior of apps just by clicking a specially-crafted URL.
This vulnerability is notable because 5.6% of all apps in Google Play are developed using Cordova and are now potentially affected.
The vulnerability is easily exploitable as it simply requires tricking the user into clicking a specially crafted URL. It allows app modification such as the appearance and functionalities. It can also inject popup screens and messages, and even remotely crash the apps by injecting special data into the intent bundle.
Designated as CVE-2015-1835, this high-severity vulnerability affects all versions of Apache Cordova up to 4.0.1. Apache has released a security bulletin confirming the vulnerability and a newer version 4.0.2 of Cordova Android to address these security issues.
Trend Micro strongly suggests Android app developers upgrade their Cordova framework to the latest version (version 4.0.2) and rebuild to a new release. This will prevent apps from being modified by attackers targeting this vulnerability.
