A security researcher at Positive Technologies, Sergey Toshin, has found a vulnerability that has existed in all Android versions since the 4.4 version. Discovered to be a bug in the WebView component, the flaw could have been used to install malware or instant apps to access personal data of the users, authentication tokens and headers, and other important data.
The severity of the bug was ranked “high” by Google when it released the security patch for the flaw. The flaw had existed for a long time now but Google has patched the vulnerability with the CVE-2019-5765 update after the researcher notified the company.
The bug was detected in the Chromium which uses the WebView on Android versions 4.4 and later. The WebView component allows the web pages to be displayed inside Android apps. This potentially affected the Chromium-based mobile browsers, including Google Chrome, Samsung Internet Browser, and Yandex Browser.
The bug was fixed in the latest Google Chrome 72, but the users using Android are suggested to check if they have availed the critical update. Leigh-Anne Galloway, Cyber Security Resilience Lead at Positive Technologies said: “Since Android 7.0, WebView has been implemented via Google Chrome and, therefore, updating the browser is enough to fix the bug. On earlier Android versions, WebView must be updated via Google Play. Users who do not have Google Play Services on their smartphones should wait for a WebView update from the device manufacturer.”