Security researcher Charlie Miller advised Android handsets users on Saturday of a code flaw at the Schmoocon hacker conference in Washington D.C. The vulnerability on Google's open source mobile operating system allows ill-intended hackers to remotely control the phone's web browser and related processes. They then could gain access to credentials, history, and encrypted Web transactions. Miller warns about the significant danger: "avoid using the browser until a patch is released. If this is not possible, only visit trusted sites and only over the T-Mobile network (avoid Wi-Fi)." This problem is contained in code written by San Diego-based PacketVideo, writers of OpenCore, the multimedia subsystem for Android. The software enables media features for other developers to build their devices on, including playing, streaming and recording images, video, and other media.
Just after Android's October 2008 release, Miller and colleagues at Independent Security Evaluators found a similar browser vulnerability. A patch was made available in early November, but another problem arose. Users complained of a bug where the system failed to distinguish between typed words and system commands: typing the word "reboot" actually restarted the phone.
Regarding the current security flaw, Google spokesman Jay Nancarrow said in an e-mail to Forbes that the PacketVideo flaw will be patched and will reach users in an update through the T-Mobile network.
Despite the multiple necessary security updates, ReadWriteWeb says that the Android OS is more secure than other operating systems. With their "sandboxing" approach, malicious code that has been accessed by the browser is separated from the system functions or other applications. Because of this, the flaw that Miller discovered would be limited only to browser resources, but not to contact list information or other calling and texting data, as was the case in earlier iPhone and other smart phone attacks.