The zero-day vulnerability in Google’s Chromium mobile browser dubbed BadKernel allows hackers to gain control of a user’s Android smartphone. Attacks might ultimately gain access to a target’s SMS, contacts, location, camera and microphone, credit card wallets and passwords. The vulnerability is said to specifically target Messages, Facebook, Gmail, and Twitter.
Despite the vulnerability is made public for more than a year, only in August 2016 have Chinese security researchers discovered that the V8 issue also affected a whole range of Android-related products where the older V8 engine versions had been deployed.
The V8 engine is used for the creation of mobile browsers such as Chrome and Opera. It is also ships with the WebView Android component, which mobile developers use inside their apps to view Web content inside the application, without opening a dedicated browser.
Currently, popular apps such as WeChat, Facebook, Twitter, or Gmail, use the WebView component. Vulnerable WebView versions are also the default on Android 4.4.4 up to version 5.1.
Some SDKs, such as the Tencent X5.SDK, also deployed a custom V8 engine, based on the V8 versions vulnerable to BadKernel. This means that a large number of Chinese apps, created with this SDK, are also vulnerable to BadKernel attacks. The list is mainly comprised of Chinese mobile apps such as QQ, QQ Space, Jingdong, 58 City, Sohu, and Sina News.