A new mobile exploit recently unveiled at the MobilePwn2Own panel at the PacSec conference this week enables an attacker to take control of any Android device via a Chrome link which unknowingly directs users to a malicious website.
Developed by Chinese security researcher Guang Gong, the full mechanics and underpinnings of the exploit weren’t revealed due to obvious security considerations. What we do know is that the exploit takes advantage of a security hole in Android’s JavaScript v8 engine.
DON’T MISS: Meet the tiny robot that walks on water, cleans pollution, and never needs to be charged
In showcasing the security vulnerability at the conference, Gong managed to take complete control of a Nexus 6 and install any applications of his choosing. The exploit took Gong three months to develop, and because it specifically targets the JavaScript v8 engine, reports indicate that the code can easily be tailored to target any Android device out on the market running the most recent version of Chrome.
“The impressive thing about Guang’s exploit is that it was one shot”, PacSec organiser Dragos Ruiu told Vulture South in remarks that were relayed by The Register.”Most people these days have to exploit several vulnerabilities to get privileged access and load software without interaction.”
“As soon as the phone accessed the website,” Ruiu further explained, “the JavaScript v8 vulnerability in Chrome was used to install an arbitrary application (in this case a BMX Bike game) without any user interaction to demonstrate complete control of the phone.”
So what happens next?
Well, a representative from Google’s security team was naturally in attendance and he will reportedly head back to the mothership where the Android team will get busy working on a patch. As for Gong, he won a free trip to next year’s CanSecWest security conference and it’s also likely that he’ll get some cold hard cash in the form of a bug bounty reward from Google.
