New Chrome Exploit Puts Android Users to Instant Vulnerability

A new Chrome exploit that hackers have discovered puts every Android phone at risk of being under attacker's control.

Engadget reports that that every Android version with the latest Chrome are compromised virtually. During the PSN2OWN panel at the PacSec conference in Tokyo last Nov. 11, Guang Gong, a researcher from Quihoo 360, demonstrated how the exploit works. The details are not fully revealed, but in a gist, the exploit takes advantage of JavaScript v8 to give the attacker full administrative access to the device in one shot.

PacSec organizer Dragos Ruiu explained to Vulture South, "The impressive thing about Guang's exploit is that it was one shot; most people these days have to exploit several vulnerabilities to get privileged access and load software without interaction."

"As soon as the phone accessed the website the JavaScript v8 vulnerability in Chrome was used to install an arbitrary application (in this case a BMX Bike game) without any user interaction to demonstrate complete control of the phone," Ruiu further said.

PC Mag noted that since Google has been notified about the bug during the conference, fixes are likely coming soon and those who wished to take advantage of this exploit would not be able to do so. And because Guang Gong did not fully disclosed the details to the public, he may be qualified to receive a reward under Google's bug bounty scheme.

Last month, two new Stagefright vulnerabilities were found, putting billions of users with devices running on Android OS versions as far back as 2008 at risk. Stagefright 2.0 can affect devices running Android versions older than Lollipop (5.0 to 5.1.1) through remote code execution, Zimperium said in a report. It can be exploited through Web browsers. Zimperium reportedly informed Google about these flaws on Aug. 15 and on Oct. 5, Google issued new patches as part of its Android Security Bulletin Monthly Release.

Join the Discussion
Real Time Analytics