Got Adobe Reader on your Android device? You had best update it ASAP

Got Adobe Reader on your Android device? You had best update it ASAP

A critical security vulnerability has been found in Adobe Reader Mobile, the version of the popular PDF Reader developed for the Android operating system, which could lead to remote hackers compromising documents stored on your Android device and its SD memory card.

If you were feeling smug that you had managed to avoid the Heartbleed flaw affecting up to 50 million Android users because you’re not running Android 4.1.1 of Jellybean, then perhaps you should wipe that smile off your face.

Because there’s every possibility that you’re running a vulnerable version of Adobe Reader on your Android, which is carrying by a critical (if not Heartbleed-related) security hole.

Sign up to our free newsletter.
Security news, advice, and tips.

In fact, it is believed that the Android version of Adobe Reader is used on between “100 million to 500 million” devices around the world – meaning that could be a fair number of affected users.

The Adobe Reader security hole was uncovered by security researcher Yorick Koster, who discovered that it was possible for malicious attackers to create a boobytrapped PDF file that would cause remote code execution to occur on the Android version of Adobe Reader, and run malicious Javascript code within the Reader app.

An attacker can create a specially crafted PDF file containing Javascript that runs when the target user views (or interacts with) this PDF file. Using any of the Javascript objects listed above provides the attacker access to the public Reflection APIs inherited from Object. These APIs can be abused to run arbitrary Java code.

Koster released proof-of-concept code demonstrating how the flaw could be abused by attackers, and informed Adobe of the problem.

In a security advisory, Adobe underlined that version 11.1.3 and earlier of Adobe Reader Mobile for Android are vulnerable to the flaw (dubbed CVE-201400514), which exploits a vulnerability in its implementation of Javascript APIs.

To fix the flaw, Adobe has released version 11.2.0 of its Reader software for Android smartphones and tablets, which is available from the official Google Play store.

Version 11.2.0 of Adobe’s Reader software for Android described the update as providing “Improved Security”:

To keep you safe, Reader now uses Android’s built-in JavaScript security. This additional protection is available on Android versions 4.2 and newer. For users running old versions of Android, we disabled JavaScript when filling forms on devices t make sure those users are safe too.

Obviously, as with Adobe software for your PC or Apple Mac, the only safe course of action is to download your Adobe updates from official outlets. It’s all too common to see cybercriminals attempt to spread their malware attacks by disguising them as security updates from the likes of Adobe.

Take care online, and ensure that all your computing devices are kept up-to-date with security patches – whether they be on your desktop, your laptop, or in your pocket.

This article originally appeared on the Lumension blog.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.