Over at MobilePwn2Own at the PacSec conference in Tokyo, Japan, a security researcher named Guang Gong showcased an exploit he’d developed over three months which, if used, could take control of virtually any Android phone with just a Chrome link…
The exploit — which wasn’t revealed in full due to security concerns — targets the JavaScript v8 engine and could, in theory, allow hackers to get access to a phone if that phone happens to visit a malicious website. In short: Someone with the knowledge and intention could take complete control of your phone if you happen to visit the wrong website. Thankfully, the exploit was developed by someone whose job it is to find vulnerabilities, and not a hacker with malicious intent.
Using the exploit, Guang Gong was able to take control of a Project Fi Nexus 6 and install an application without any user interaction on the device. And, because it was developed to hit the JavaScript engine, it could be redeveloped to work with any Android phone.
As soon as the phone accessed the website the JavaScript v8 vulnerability in Chrome was used to install an arbitrary application (in this case a BMX Bike game) without any user interaction to demonstrate complete control of the phone.”
The vuln being in recent version of Chrome should work on all Android phones; we were checking his exploit specifically but you could recode it for any Android target since he was hitting the JavaScript engine.
As a reward for finding the vulnerability, Gong won a trip to the CanSecWest security conference next year and will likely receive a bug bounty from Google. A member of Google’s security team was at the event where Gong showed off his exploit, and will take it back to headquarters to test and resolve the issues.
FTC: We use income earning auto affiliate links. More.
Comments