Researchers Roee Hay & Roi Saltzman from IBM Application Security Research Group demonstrate how an attacker can successfully guess the nonce of the DNS request with a probability thatis su cient for a feasible attack. Android version 4.0.4 and below are Vulnerable to this bug. Android 4.1.1 has been released, and patches are available on AOSP. The random sample is now pulled from /dev/urandom, which should have adequate entropy by the time network activity occurs.
Source: https://thehackernews.com/2012/07/cve-2012-2808-android-404-dns-poisoning.html