<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>OpenClaw Android Application - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/openclaw-android-application/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 11 Jan 2024 18:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/openclaw-android-application/feed.xml" rel="self" type="application/rss+xml"/><item><title>OpenClaw Android App Vulnerable to Arbitrary Code Execution via WebView JavascriptInterface</title><link>https://feed.craftedsignal.io/briefs/2024-01-openclaw-webview-rce/</link><pubDate>Thu, 11 Jan 2024 18:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-openclaw-webview-rce/</guid><description>The openclaw npm package before version 2026.3.22 is vulnerable to arbitrary code execution, where an attacker could inject instructions into the app by invoking the JavascriptInterface bridge from untrusted origins within Android Canvas WebView pages.</description><content:encoded><![CDATA[<p>The OpenClaw Android application, specifically versions prior to 2026.3.22, contains a vulnerability that allows for arbitrary code execution. This flaw stems from insufficient validation of the origin of requests made to the JavascriptInterface bridge within Android Canvas WebView pages. An attacker could potentially exploit this by serving malicious content via a compromised or untrusted website loaded in the WebView. This allows the attacker to bypass security restrictions and inject arbitrary instructions directly into the application's context. The vulnerability was reported by @cyjhhh and a fix was implemented in version 2026.3.22. Defenders should ensure all OpenClaw Android applications are updated to version 2026.3.22 or later.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker hosts a malicious webpage containing JavaScript code designed to exploit the WebView's JavascriptInterface.</li>
<li>The user opens the OpenClaw Android application and navigates to the CanvasScreen, which loads the attacker's malicious webpage within a WebView.</li>
<li>The malicious JavaScript code within the WebView attempts to invoke methods exposed through the JavascriptInterface bridge.</li>
<li>Due to the lack of sufficient origin validation in versions prior to 2026.3.22, the JavascriptInterface bridge incorrectly processes the attacker's commands.</li>
<li>The attacker crafts specific instructions through the bridge to execute arbitrary code within the OpenClaw application's context.</li>
<li>This could lead to the installation of malware, data exfiltration, or other malicious actions depending on the permissions granted to the OpenClaw application.</li>
<li>The application executes the attacker-injected code, granting the attacker control within the app's sandbox.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability allows an attacker to execute arbitrary code within the OpenClaw Android application. This could lead to data theft, credential compromise, or potentially lateral movement to other applications or systems accessible from the compromised device. The number of affected users depends on the adoption rate of vulnerable OpenClaw versions, but the impact is high due to the potential for complete compromise of the application and its data.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately update the OpenClaw npm package to version 2026.3.22 or later to patch the vulnerability.</li>
<li>Monitor for unexpected network activity originating from devices running older versions of OpenClaw, as this may indicate exploitation attempts.</li>
<li>Consider implementing network-level restrictions to prevent the OpenClaw application from accessing untrusted or known malicious websites.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>android</category><category>webview</category><category>rce</category></item></channel></rss>