Android
Web
Threat Guidances
Vulnerability
November 4, 2020

Chrome for Android Vulnerabilities

Lookout Coverage and Recommendation for Admins

Lookout will detect any version of Chrome before 86.0.4240.185 as a vulnerable application in your fleet. Since Chrome is the primary browser on Android devices, admins should proactively enable the vulnerability protection in the Lookout console and configure it with the appropriate severity and remediation actions that align with their organization’s response workflows.

Overview

Google recently discovered and disclosed an exploitable vulnerability in Chrome for Android, Windows, and Mac. The Android- specific vulnerability, which is identified as CVE-2020-16010, was reported by members of the Google Project Zero team.

According to the report, the vulnerability exists due to a heap-based buffer overflow that is triggered when Google Chrome on Android renders maliciously crafted HTML content. Successfully exploiting the vulnerability may allow the attacker to compromise the entire affected device.

Lookout Analysis

Google has noted that there are already exploits for this vulnerability in the wild, which explains the rapid turnaround from reporting the vulnerability to releasing an app update. Based on telemetry from our Lookout Security Graph, which is informed by tens of millions Android users protected by Lookout Personal and Lookout for Work, we estimate that up to 50% of Android users globally are running an out of date version of Chrome for Android.

A successful exploit could allow the actor to perform a sandbox escape via a crafted HTML page, which means the actor can gain access to Chrome's capabilities without needing to root the device. Mobile device management (MDM) tools will not detect a successful exploitation. In the event of a successful exploit, the actor could have access to any capability that the browser has. This includes access to the camera and microphone, location data, browsing history and more.

Authors

Lookout

Cloud & Endpoint Security

Lookout, Inc. is the data-centric cloud security company that uses a defense-in-depth strategy to address the different stages of a modern cybersecurity attack. Data is at the core of every organization, and our approach to cybersecurity is designed to protect that data within today’s evolving threat landscape no matter where or how it moves.

Platform(s) Affected
Android
Platform(s) Affected
Web
Entry Type
Threat Guidances
Threat Type
Vulnerability
Platform(s) Affected
Android
Web
Threat Guidances
Vulnerability

Related Content

Chrome & Firefox Vulnerabilties

Google and Mozilla have both recently disclosed critical vulnerabilities in their respective Chrome and Firefox web browsers.

Read Threat Article

CVE-2024-8904, 9602, & 9603

Google has reported two new vulnerabilities in Chromium based browsers tracked as CVE-2024-8904 and CVE-2024-9602

Read Threat Article

CVE-2024-7971

Researchers at Microsoft recently discovered and reported a new zero day vulnerability in Google’s Chrome browser, which is tracked as CVE-2024-7971

Read Threat Article

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

Schedule Demo
HeaderHeaderHeaderHeader
CellCellCellCell
CellCellCellCell
CellCellCellCell
CellCellCellCell