Android’s DNS resolver is vulnerable to DNS poisoning due to weak randomness in its implementation. Researchers Roee Hay & Roi Saltzman from IBM Application Security Research Group demonstrate that how an attacker can successfully guess the nonce of the DNS request with a probability thatis su cient for a feasible attack. Android version 4.0.4 and below are Vulnerable to this bug.
Upon success, a sub-domain points to the attacker’s IP, which enables the latter to steal wild card cookies of the attacked domain, and even set cookies. In addition, a malicious app instantiate the Browser app on the attacker’s malicious web-page. If the attacker knows the PID (for example, a malicious app can access that information), the attack expected time can be reduced furthermore.
Vulnerability dubbed as “CVE-2012-2808” Android 4.1.1 has been released, and patches are available on AOSP. The random sample is now pulled from /dev/urandom, which should have adequate entropy by the time network activity occurs.