Last-minute paper: Webview is far more than a 'view'

Thursday 5 October 09:30 - 10:00, Green room

Rowland Yu (Sophos)



Android's Webview, as described by Google, is a view that enables Android apps to display web content. Today, it is far more than a just 'view': using a Webview allows developers to utilize advanced web technologies such as CSS, iframe and JavaScript to build apps. In this way, Webview not only changes the landscape of the web but also weakens the web's security infrastructure.

The recently discovered WireX botnet used up to 100 Webview instances each time to launch DDoS attacks. In May 2017, possibly the largest Android adware, 'Judy', employed an invisible Webview on top of a game to load a malicious JavaScript payload with the capability of locating and clicking on Google Ads banners. This advanced adware disclosed on Google Play might have infected upwards of 36.5 million users to date. Two months later, another 300 apps were uncovered on Google Play again, which can also generate fraudulent advert clicks by randomly selecting links in a Webview. Apart from click fraud, traditional and browser-based phishing attacks have taken advantage of Webview to support dozens of apps on Google Play targeting online payment companies. Furthermore, Webview has been discovered in collusion with other malicious technologies to perform clickjacking and activity hijacking attacks over the last few years.

By exploiting Webview with a dynamic URL, malicious apps are able to successfully bypass the Google Bouncer scanner as well as the AV detection. It also enables attackers to load different pages without having to update the apps. Moreover, the injected JavaScript code in a Webview allows malicious apps to steal sensitive and confidential information and control apps without users' interaction. An interesting and closer look at Webview will be revealed in this presentation.

 

Rowland-Yu-web.jpg

Rowland Yu

Rowland Yu is a Senior Threat Researcher Level 2 in Sophos, where he is the primary researcher leading the Android team for malware analysis and emerging threats. He has over 10 years of experience and knowledge in advanced threat research, reverse engineering and remediation, vulnerability assessment, spam and DLP (data leakage protection). Rowland is also a regular speaker at the RSA, Virus Bulletin and AVAR conferences.


   Download slides

VB2018 MONTREAL!

VB2017 OVERVIEW

VB2017 SPEAKERS

VB2017 PROGRAMME

2017 PÉTER SZŐR AWARD


Other VB2017 papers

Walking in your enemy's shadow: when fourth-party collection becomes attribution hell

Juan Andres Guerrero-Saade (Kaspersky Lab)
Costin Raiu (Kaspersky Lab)

Attribution is complicated under the best of circumstances. Sparse attributory indicators and the possibility of overt…

Mariachis and jackpotting: ATM malware from Latin America

Thiago Marques (Kaspersky Lab)

Fabio Assolini (Kaspersky Lab)

Of all the forms of attack against financial institutions in the world, the ones that are most likely to combine traditional…

Keynote address: Inside Cloudbleed

John Graham-Cumming (Cloudflare)

In February 2017, Cloudflare was revealed to have been leaking private information including HTTP headers, cookies and POST data…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.