A new exploit discovered in the latest Chrome for Android app, is a threat to all Android handsets.
Advertisement
The bad news? All it takes is opening a website containing the malicious code and an attacker can have full control of your phone, and do things like download additional apps without your interaction.
According to a report in The Register, the exploit demonstrated by Gong is notable because “it is a single clean exploit that does not require multiple chained vulnerabilities to work”. A flaw in JavaScript v8 is believed to be at the center of this issue.
What adds to its severity is that it’s a one shot exploit, meaning just one vulnerability was enough to remotely hack the device.
Gong told The Register that the vulnerability could be exploited via the latest Chrome version, and in theory, should work on any Android version.
Ruiu went on to explain that by using a website that exploits a JavaScript v8 vulnerability in the Chrome mobile browser, Gong was able to install a game with no user interaction required at all.
Worse still, as this bug was found in one of the newest Android handsets – Google’s own Nexus 6 (Project Fi version) – it suggests the problem could affect lots of phones. Since the exploit isn’t out in the public, and Google knows about it, we should see a security patch sent out via an OTA update in the not too distant future. Chinese hacker Guang Gong showcased the exploit at the MobilePwn2Own part of the PacSec conference in Tokyo – a meeting of security experts who show off what they’ve discovered for the kudos.
Advertisement
The vulnerability took the researcher three months of development to fully flesh out, but when he demonstrated it, the method proved scarily smooth and efficient.
