Last-minute paper: Webview is far more than a 'view'

Presented at VB2017, Oct. 5, 2017, 9:30 a.m. (30 minutes)

*Android*'s Webview, as described by *Google*, is a view that enables *Android* apps to display web content. Today, it is far more than a just 'view': using a Webview allows developers to utilize advanced web technologies such as CSS, iframe and JavaScript to build apps. In this way, Webview not only changes the landscape of the web but also weakens the web's security infrastructure. The recently discovered WireX botnet used up to 100 Webview instances each time to launch DDoS attacks. In May 2017, possibly the largest *Android* adware, 'Judy', employed an invisible Webview on top of a game to load a malicious JavaScript payload with the capability of locating and clicking on *Google* *Ads* banners. This advanced adware disclosed on *Google Play* might have infected upwards of 36.5 million users to date. Two months later, another 300 apps were uncovered on* Google Play* again, which can also generate fraudulent advert clicks by randomly selecting links in a Webview. Apart from click fraud, traditional and browser-based phishing attacks have taken advantage of Webview to support dozens of apps on *Google Play* targeting online payment companies. Furthermore, Webview has been discovered in collusion with other malicious technologies to perform clickjacking and activity hijacking attacks over the last few years. By exploiting Webview with a dynamic URL, malicious apps are able to successfully bypass the* Google Bouncer* scanner as well as the AV detection. It also enables attackers to load different pages without having to update the apps. Moreover, the injected JavaScript code in a Webview allows malicious apps to steal sensitive and confidential information and control apps without users' interaction. An interesting and closer look at Webview will be revealed in this presentation.

Presenters:

• Rowland Yu - Sophos
  Rowland Yu Rowland Yu is a Senior Threat Researcher Level 2 in Sophos, where he is the primary researcher leading the Android team for malware analysis and emerging threats. He has over 10 years of experience and knowledge in advanced threat research, reverse engineering and remediation, vulnerability assessment, spam and DLP (data leakage protection). Rowland is also a regular speaker at the RSA, Virus Bulletin and AVAR conferences.

Links:

• https://www.virusbulletin.com/conference/vb2017/abstracts/last-minute-paper-webview-far-more-view
• https://www.virusbulletin.com/uploads/pdf/conference_slides/2017/Yu-VB2017-webview.pdf

Similar Presentations:

• Black Hat Asia 2021 Virtual / The Tangled Webview ----- Javascriptinterface Once More
• VB2015 / Last-minute paper: Making a dent in Russian mobile banking phishing
• Black Hat Asia 2021 Virtual / A New Era of One-Click Attacks: How to Break Install-Less Apps