Last-minute paper: Webview is far more than a 'view'

Thursday 5 October 09:30 - 10:00, Green room

Rowland Yu (Sophos)

Android's Webview, as described by Google, is a view that enables Android apps to display web content. Today, it is far more than a just 'view': using a Webview allows developers to utilize advanced web technologies such as CSS, iframe and JavaScript to build apps. In this way, Webview not only changes the landscape of the web but also weakens the web's security infrastructure.

The recently discovered WireX botnet used up to 100 Webview instances each time to launch DDoS attacks. In May 2017, possibly the largest Android adware, 'Judy', employed an invisible Webview on top of a game to load a malicious JavaScript payload with the capability of locating and clicking on Google Ads banners. This advanced adware disclosed on Google Play might have infected upwards of 36.5 million users to date. Two months later, another 300 apps were uncovered on Google Play again, which can also generate fraudulent advert clicks by randomly selecting links in a Webview. Apart from click fraud, traditional and browser-based phishing attacks have taken advantage of Webview to support dozens of apps on Google Play targeting online payment companies. Furthermore, Webview has been discovered in collusion with other malicious technologies to perform clickjacking and activity hijacking attacks over the last few years.

By exploiting Webview with a dynamic URL, malicious apps are able to successfully bypass the Google Bouncer scanner as well as the AV detection. It also enables attackers to load different pages without having to update the apps. Moreover, the injected JavaScript code in a Webview allows malicious apps to steal sensitive and confidential information and control apps without users' interaction. An interesting and closer look at Webview will be revealed in this presentation.



Rowland Yu

Rowland Yu is a Senior Threat Researcher Level 2 in Sophos, where he is the primary researcher leading the Android team for malware analysis and emerging threats. He has over 10 years of experience and knowledge in advanced threat research, reverse engineering and remediation, vulnerability assessment, spam and DLP (data leakage protection). Rowland is also a regular speaker at the RSA, Virus Bulletin and AVAR conferences.

   Download slides






Other VB2017 papers

The state of cybersecurity in Africa: Kenya

Tyrus Kamau (Euclid Consultancy)

The cyber threats Kenya faces range from basic hacking such as website defacements, financial fraud, social media account…

Keynote address: Inside Cloudbleed

John Graham-Cumming (Cloudflare)

In February 2017, Cloudflare was revealed to have been leaking private information including HTTP headers, cookies and POST data…

Walking in your enemy's shadow: when fourth-party collection becomes attribution hell

Juan Andres Guerrero-Saade (Kaspersky Lab)
Costin Raiu (Kaspersky Lab)

Attribution is complicated under the best of circumstances. Sparse attributory indicators and the possibility of overt…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.